A trust anchor is also required for DNSSEC validation.
getdns version 1.2 includes support for automatic trust anchor management - see 'zero Zero configuration DNSSEC' . We plan to improve DNSSEC support in a future release so that errors in configuration are reported to the userwhich will automatically fetch a trust anchor is none is present on the system. See that link for the specific details of key management for DNSSEC.
If using a version of getdns earlier than 1.2 then DNSSEC support also requires that a trust anchor is must be manually installed and managed on the system. We recommend using unbound-anchor.