Practices

Configure "secure" cache server
we need another instance of named
let authoritative server listen on 10.0.x.y only
configure another named.conf for caching, listening on 127.0.0.1 only
add 'dnssec-enable yes;' for caching server as well

Ask the caching server for names under secure zone
both existent and non-existent
check the server-side's log (use '-d 3')

(Optional) Tweak the RRSIG or DS
so that the auth server returns invalid data
what happens?