Mar 22 13:46:14 box named[31767]: validating @0x7f51bc001550: . DNSKEY: unable to find a DNSKEY which verifies the DNSKEY RRset and also matches a trusted key for '.'
Mar 22 13:46:14 box named[31767]: validating @0x7f51bc001550: . DNSKEY: please check the 'trusted-keys' for '.' in named.conf.
Mar 22 13:46:14 box named[31767]: error (broken trust chain) resolving './NS/IN': 192.36.148.17#53
One possibility is sometimes that your time is out of sync. Check it and fix it, but if your time is correct and you get th error, it probably is the issue mentioned below.
This happened on a new install in CentOS 7 and a default install at that. bind had the old keys, so the easy solution was just to update bind with:
yum -y update bind
bind, errors, dnskey, unable, verifies, rrset, mar, validating, bc, conf, resolving, ns, sync, install, centos, default, update, yum,