[dns-operations] Signed root zone published, now what?

[Chris Adams]

I'm a system admin that manages DNS resolvers, but doesn't concentrate
on DNS on a daily basis (one of many I'm sure).  I've been following
DNSSEC updates, but hadn't really put in the time to learn much until
the root was signed.  Now that this has been done, I'm trying to figure
out: what next?  What am I supposed to do, both today and as part of
on-going maintenance tasks?

I fetched the root-anchors.xml file, validated it with GPG, converted it
to .txt, and installed it in my Unbound config using the
"auto-trust-anchor-file" option.  As I understand DNSSEC, this means the
server will automatically fetch new root keys as they are published,
right?  Does that mean that under normal conditions (e.g. no key
compromise, loss, etc.), that's it?

I read that there will be quarterly key-signing ceremonies; the results
of those key-signings are what are released through RFC5011 updates,
right?

Is there a good "best practices" for implementing and managing DNSSEC
for resolvers?  It seems much of what I found is targeted at
authoritative servers (which I'll look at once .com is signed I guess).
-- 
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.