According to http://backreference.org/2010/11/17/dnssec-verification-with-dig/:
Obtain root keys. You can do this with dig on an unpoisoned machine:
dig . DNSKEY | grep -Ev '^($|;)' > root.keys
Verify your target dns record:
dig +sigchase +trusted-key=./root.keys www.eurid.eu. A | cat -n
The other alternative is to set up a validating DNS resolver like unbound. I use it to provide DNSSEC security on desktop machines. It's easily available in Fedora 17. Or BIND in Debian 7.0. I forget whether there are debian packages which set up unbound for you, but it's not hard to do manually either.
Then run dig against your secure resolver, and it will show a flat error (SERVFAIL, I think) if there are invalid results. You can also configure unbound to log details about each validation failure.