delv -a with static-key trust anchor returns "broken trust chain (no valid signature found (DS))" even when validating the same zone the anchor belongs to
I have a DNSSEC-signed zone (example.com, served by my own authoritative BIND9 server) and I'm trying to validate it locally using delv with a manually-supplied trust anchor, without relying on the real DNS root or any parent-zone DS record.
What I've confirmed works
The zone is genuinely DNSSEC-signed — dig DNSKEY example.com u/127.0.0.1 returns a valid DNSKEY record, and zone transfers (AXFR) include correct RRSIG/NSEC records.
The DNSKEY value in my trust-anchor file matches the live server's DNSKEY byte-for-byte (verified via diff and a hex dump, just to rule out transcription errors).
What I'm trying to do
Build a standalone trust-anchor file:
trust-anchors {
example.com. static-key 257 3 13 "";
};
And validate against it:
delv u/127.0.0.1 -a /path/to/anchor.trust +root=example.com SOA example.com
Expected result
; fully validated
Actual result
;; validating example.com/DNSKEY: no valid signature found (DS)
;; no valid RRSIG resolving 'example.com/DNSKEY/IN': 127.0.0.1#53
;; broken trust chain resolving 'example.com/SOA/IN': 127.0.0.1#53
;; resolution failed: broken trust chain
What I think is happening
Using +rtrace, I can see delv is specifically trying to validate the zone's own DNSKEY record by looking for a DS record — but no DS record exists anywhere (no parent-zone delegation, this is an isolated/private zone not chained to any real parent).
From man delv:
"-a anchor-file: This option specifies a file from which to read DNSSEC trust anchors... Keys that do not match the root zone name are ignored. An alternate key name can be specified using the +root option."
I interpreted this to mean +root=example.com should let delv treat my anchor as the top-level trust point for that name — essentially "trust this key directly, don't require a DS chain above it." But in practice, delv still attempts DS validation regardless of +root.
My question
Is it actually possible to get delv -a + static-key to fully validate a zone with no DS record anywhere in the chain (i.e., a deliberately "island" zone with no real parent delegation)? Or does +root= not do what I think it does, and is there a different flag/anchor-type combination needed to bypass the DS requirement entirely for a self-contained, locally-trusted zone?
Environment
BIND 9.18.39 (Ubuntu 24.04 LTS, Extended Support)
delv from the bind9-dnsutils package