Information
For each authoritative domain ensure the digital signatures are is fully trusted starting from the root zone.
Rationale:
In order for the the digital signatures to be trusted by other systems, The parent zone must be a DS (delegated signer) record that verifies the authenticity of the child zones KSK (key signing key). The delegated signature forms a chain of trust, delegated down from the root zone.
Solution
If the zone has a valid signature but the signature is not trusted, the delegation from the parent zone, or the registrar may not be properly configured. Check with your parent zone administrator or with your name registrar's process to be sure the required information has been provided and that sufficient time has been allowed for new DS record to propagate. Each registrar may have slightly different processes. Generating a DS record from the KSK will likley provide some of the required information.
# dnssec-dsfromkey -a SHA-256 Kexample.com.+013+09798.key
example.com. IN DS 9798 13 2 D9AA106E44 . . .