Chain of Trust (DNSSEC)
The unbroken sequence of DNSSEC signatures from the root zone down to a domain that proves a DNS answer is authentic.
The DNSSEC chain of trust is the cryptographic ladder that a validating resolver climbs to prove a DNS answer has not been forged. Starting from a built-in trust anchor for the root zone, the resolver verifies that the root signs the DS record for the TLD, the TLD signs the DS record for the domain, and the domain signs its own records. If any link is missing or broken (for example, the parent zone has a DS but the child has no DNSKEY), validation fails and the resolver returns SERVFAIL. Most DNSSEC outages come from a broken chain after a key rollover, not from active attacks.
Reference
Related terms
See also
Referenced on
- Build a DNS Resolver from Scratch in PHP
- Build a DNS Resolver from Scratch in Python
- Complete Guide to DNS Attacks and DNS Security (Prevention, Testing & Mitigation)
- DNS Root Servers Explained: The 13 Servers That Run the Internet
- DNS Troubleshooting Tools: What the Pros Actually Use
- DNSSEC Adoption by TLD
- DNSSEC Downgrade Attack: How Attackers Strip Cryptographic Protection from DNS
- Free DNS Lookup Tool
- Home
- SSL/TLS Error Codes Reference and Fixes
- What Is DNSSEC and Why Should You Enable It?
- What Is SERVFAIL? Understanding DNS Server Failure Responses