DNSSEC and caching nameserver

[AliceWonder]

I am trying to use dig to validate DNSSEC results.

When I point dig at my ISP nameserver, it fails claiming

;; RRSIG of DNSKEY is missing to continue validation: FAILED

Same thing when I point dig at google's public nameservers.

However when I point dig at bind.odvr.dns-oarc.net it works.

So I am attempting to set up a bind caching nameserver on my local LAN that works with DNSSEC and so far, I'm not having any luck - I end up with the same results as trying to use my ISPs or Google's public nameserver.

What am I missing that is needed to run a bind caching nameserver that is actually *truly* DNSSEC aware?

[AliceWonder]

dig @bind.odvr.dns-oarc.net +topdown +sigchase domblogger.net.

That's the dig command that works. Replace @bind.odvr.dns-oarc.net with @localhost (or google's public or my ISP) and it fails.

I really would like it to work with localhost, at least until my ISP updates their nameserver.

[AliceWonder]

When it fails using local bind:

;; RRSIG of DNSKEY is missing to continue validation: FAILED

I've been through the

/var/named/chroot/etc/named.conf file numerous times and I can't figure out what setting I'm missing for it to do DNSSEC properly and validate a signature.
Clearly it can be done, bind.odvr.dns-oarc.net is doing it.

[AliceWonder]

dig @localhost +sigchase +trusted-key=~/root.keys domblogger.net

That works. So it seems for whatever reason, dig isn't able to get the trusted root keys from my local bind.