Ref: https://learn.cantrill.io/courses/2022818/lectures/45637094
YouTube: https://www.youtube.com/watch?v=YCk2WI-Fbtk
Parent Zone Trust and DS records
- Parent zones explicitly trust the public KSK of their child zones
- Delegation of control/administration to child zones
- e.g.
.org TLD delegates control of icann.org to ICANN's NSs by trusting their public KSK
- ‼️ No verification of child zone content! Only trust!
- Delegated Signer (DS) record
- 🔧 Contain a HASH of the public KSK of the child zone
- Link parent zone's trust to child zone → DNS clients can verify the trust
- RRSIG of DS records get signed with the zone's ZSK
Cryptographic chain of DS records up to Root Zone
- Child zone trusted by parent zone via parent's DS record... Parent zone trusted by grandparent zone via grandparent's DS record… We can go all the way up to the Root Zone
- Every step of DNS chain can be cryptographically validated → DNS chain of trust
- ❗ Root Zone's KSK pair is EXPLICITLY trusted → Trust anchor
- Every DNSSEC server trusts these keys