Add root zone trust anchor validation to DNSSEC chain verification

[Copilot]

Implementation Complete: Root Trust Anchor Validation

Summary

Successfully implemented root trust anchor validation to fix a critical DNSSEC security vulnerability where the resolver was not validating the root zone DNSKEY against a trust anchor.

Changes Made

• Review current DNSSEC validation logic and identify where root zone validation is missing
• Add embedded root trust anchors (KSK 20326) in the code
• Implement root zone DNSKEY validation against trust anchors in authchain.go
• Add trust anchor to Resolver struct and initialize it in NewResolver
• Update Verify method to accept and use trust anchor for root zone validation
• Update all calls to authChain.Verify to pass trust anchor
• Create test cases for root zone trust anchor validation (5 new tests, all passing)
• Verify build and existing tests pass
• Update documentation to explain root zone trust anchor validation
• Address all code review feedback
• Run security scan with CodeQL (0 vulnerabilities found)
• Fix trustanchor test compilation issues

Security Impact

This fix prevents a critical attack vector where a misbehaving DNS server could spoof the entire DNS chain up to the root zone, which the resolver would previously accept as valid. Now the entire DNSSEC chain of trust is validated from the queried domain all the way to the root, ensuring full compliance with DNSSEC validation requirements per RFC 4033 and RFC 4034.

Code Quality

• All tests pass (31/31) ✅
• CodeQL security scan: 0 vulnerabilities ✅
• Code review feedback addressed ✅
• Documentation updated ✅
• Build successful ✅

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Missing root trust anchor</issue_title>
<issue_description>I can't find any references to the root zone being checked.

Typically the signature of the root zone is validated with a trust anchor (e.g.: in /usr/share/dnssec-root/trusted-key.key).

By not validating the signature of the root zone, a misbehaving server can simply spoof the entire chain all the way up to the root, at which point this implementation will consider the entire chain to be valid.</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Missing root trust anchor #10

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[peterzen]

@copilot Run test suite and fix trustanchor test case .

[Copilot]

@copilot Run test suite and fix trustanchor test case .

Fixed in commit 1c87a3f. The test was incorrectly trying to call NewSignedZone() which doesn't exist - the actual function is lowercase newSignedZone() and is internal. Updated the tests to create SignedZone instances directly. All tests now pass (31/31).