To use the signed root zone in DNSSEC validation in your BIND 9 resolvers, you must be running BIND 9.6 or higher. Earlier versions do not support the required algorithms to enable validation using the root zone's key. The recommended procedure to use differs for the BIND 9.6 series and later versions, including BIND 9.7. For BIND 9.6, you must use a trusted-keys statement, which must be manually