In short, the resolver. 

The basic steps of DNSSEC resolution and validation go like this:

1. First, the client requests an A record for example.com from its local validating recursive server.
2. The validating recursive server follows the normal recursion path from root down to the authoritative servers of the zone for example.com.
3. Next, the recursive server requests the A record from the authoritative server.
4. The authoritative server answers with the A record and corresponding RRSIG A record for example.com.
5. Then, the recursive server asks the example.com authoritative server for the DNSKEY record for the zone.
6. The authoritative server for example.com returns the DNSKEY record and corresponding RRSIG DNSKEY record for example.com.
7. Next, the recursive server asks .com for the DS record for example.com.
8. The .com server responds with the DS record and corresponding RRSIG DS record for example.com.
9. Then, the recursive server requests the DNSKEY record from the .com server.
10. The .com server responds with the DNSKEY record and corresponding RRSIG DNSKEY record.
11. Next, the recursive server requests the DS record of .com from the root servers.
12. The root servers return the DS record and corresponding RRSIG DS record for .com.
13. Then, the recursive server asks for the DNSKEY record for the root.
14. The root server returns the DNSKEY record and the corresponding RRSIG DNSKEY record for the root.
15. Finally, the recursive server uses the configured trust anchor to validate the DNSKEY record and corresponding RRSIG DNSKEY record for root. DNSSEC-aware resolvers have the necessary key for validating responses from root servers already built-in.

All of this happens on behalf of the client.