Validácia DNSSEC

Dobrý deň vám prajem. Mám doma server, ktorý mi okrem iného robí aj DNS (CentOS 6). Ďalej okrem iných klasické PC (Fedora 20) a snažím sa nastaviť validovanie DNSSEC.

Výpis named.conf:

acl "network" { 127.0.0.1; 192.168.1.0/24; 192.168.254.0/24; };

options
  {
    allow-query-cache { network; };
    allow-transfer { ns2.domain.tld; };
    directory "/var/named";
    minimal-responses yes;
    version none;

    dnssec-enable yes;
    dnssec-lookaside auto;
    dnssec-validation yes;
    bindkeys-file "/etc/named.iscdlv.key";
  };

include "/etc/named.root.key";

view "internal"
  {
    match-clients { network; };
    recursion yes;

    zone "."
      {
	type hint;
	file "named.ca";
      };

    dalsie_zony......
  };

view "external"
  {
    match-clients { any; };
    recursion no;

    zone "."
      {
	type hint;
	file "named.ca";
      };

    dalsie_zony......
  };

testovacie výpisy z konzoly vyzerajú takto

[user@pc ~]$ dig +multi +dnssec www.dnssec.cz @192.168.1.254

; <<>> DiG 9.9.4-P2-RedHat-9.9.4-11.P2.fc20 <<>> +multi +dnssec www.dnssec.cz @192.168.1.254
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54149
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.dnssec.cz.         IN A

;; ANSWER SECTION:
www.dnssec.cz.          7200 IN A 217.31.205.51
www.dnssec.cz.          7200 IN RRSIG A 5 3 7200 (
                                20140222132907 20140209105503 63597 dnssec.cz.
                                0uEoLree/jxfl33Q1D2S89CBkO7qz5fJbEexJGVagJc7
                                an+zyp27Oq/cbXWih8+y7+7lIcXAV9K1/zu8JucP8h63
                                f13drATFK0uAth39WvkZB/G05ylfJRoguuDHPpQO8Pqv
                                TSDxvvDFwvIgjiavTsS1ntmmWzY6NpeZyFEKuaw= )

;; Query time: 47 msec
;; SERVER: 192.168.1.254#53(192.168.1.254)
;; WHEN: St feb 12 10:47:04 CET 2014
;; MSG SIZE  rcvd: 227

[user@pc ~]$ dig +dnssec +multi www.rhybar.cz @192.168.1.254

; <<>> DiG 9.9.4-P2-RedHat-9.9.4-11.P2.fc20 <<>> +dnssec +multi www.rhybar.cz @192.168.1.254
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 14131
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.rhybar.cz.         IN A

;; Query time: 74 msec
;; SERVER: 192.168.1.254#53(192.168.1.254)
;; WHEN: St feb 12 10:50:35 CET 2014
;; MSG SIZE  rcvd: 42

[user@pc ~]$ dig +cd +dnssec +multi www.rhybar.cz @192.168.1.254

; <<>> DiG 9.9.4-P2-RedHat-9.9.4-11.P2.fc20 <<>> +cd +dnssec +multi www.rhybar.cz @192.168.1.254
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44392
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.rhybar.cz.         IN A

;; ANSWER SECTION:
www.rhybar.cz.          429 IN A 217.31.205.51
www.rhybar.cz.          429 IN RRSIG A 5 3 600 (
                                20081030080058 20080930080058 5172 rhybar.cz.
                                XVkut4l9mw2MhodZFIOD2L57AU2u+I6wGVlK1fr6w5lo
                                cFC5NIe8ukw79jYdOCH3WwFgSMscumIz1sGqRPrN/Crh
                                XiU0ymFGFju9x/k10lv6SGS6lslgnZluet04CyibGQ2H
                                BnwTx7qK3j+bNzxKLvjpn7DY9f+YKB8F2FtwNOc= )

;; Query time: 4 msec
;; SERVER: 192.168.1.254#53(192.168.1.254)
;; WHEN: St feb 12 10:53:26 CET 2014
;; MSG SIZE  rcvd: 227

Ale vyzerá to, že to nefunguje, respektíve, napríklad stránka http://www.dnssec.cz/ ukazuje "červený kľúč". Nájde sa dobrá duša a poradí mi niekto čo s tým?

Vopred veľmi pekne ďakujem.

Dotaz: Validácia DNSSEC