DNSSEC, need digest of UTM to add trust anchor

Question

I'm trying to enable DNSSEC on my network. I have Cloudflare -> Sophos UTM -> Windows AD. 
 Windows AD is in request routing from the UTM. 
 Windows machines have to use the AD servers for DNS, which point to UTM, which point to Cloudflare. 
 
 The problem I have is how do I configure the Windows 2016 DNS to trust UTM as a DS trust anchor? It is asking for the UTM digest and key tag, which I cannot find anywhere. 
 For Cloudflare it is right there on the dashboard, no problem. Without it, how can I make the chain work?

DouglasFoster · Answer

I have done some more experimenting today. Note that I am not attempting to implement DNS SEC for my own domain, I simply want to be protected from results that fail DNS SEC validation. Here are the results of my test. 
 Most of the commonly-used public DNS servers appear to be DNSSEC-aware. This includes 1.1.1.1 (CloudFlare), 8.8.8.8 (Google), 9.9.9.9 (Quad9), and 156.154.70.4 (Neustar's filtering DNS) 
 Test condition: 
 
 You are using a DNS client configuration that is not fully DNSSEC-aware (Windows Desktop connected to Active Directory DNS server) 
 You query a web address that is not correctly signed (www.dnssec-failed.org) 
 
 Results: 
 
 The DNSSEC-aware server will refuse to answer, returning a result of "Server Failed".] 
 The DNS client will try another server. 
 When all forwarders have been tried, it will use its root-hint server (which do not implement DNS SEC). 
 The root-hint servers will help the client obtain an address. 
 
 Consequently, if we disable the root-hint servers and repeat the test: 
 
 All forwarders will be attempted in sequence. 
 The client will receive a lookup failure result. 
 
 To test this, I used a standalone PC, and configured both of the DNS server values to be one of the above server addresses. It behaved as expected. 
 If you run a DNSSEC-aware DNS server inside your network, you have to worry about the extra bandwidth consumed by DNS SEC results. If you keep your internal network stupid, you let the remote server shelter you from that extra bandwidth. 
 Have to decide if we are gutsy enough to remove the root-hint list from all of our Active Directory DNS servers. 
 Also need find out if it is possible to disable the UTM root hints, for traffic handled by UTM.