Trust Anchor

The root public key that a DNSSEC-validating resolver trusts implicitly, used as the starting point for the chain of trust.

A trust anchor is a public key that a validator accepts as authentic without further verification: the root of the trust tree. For DNSSEC, every validating resolver on Earth ships with the IANA-published root zone KSK as its trust anchor. From there, the resolver can follow DS records down through TLDs to individual domains. The root KSK is rotated rarely (the famous 2018 rollover from KSK-2010 to KSK-2017 took years of preparation), and resolvers update via RFC 5011 automatic trust anchor updates. A wrong or outdated trust anchor breaks DNSSEC validation for the entire internet from that resolver's perspective.

Reference

RFC 5011

Related terms

DNSSEC
Chain of Trust (DNSSEC)
KSK
Root Zone

Referenced on

DNS Root Servers Explained: The 13 Servers That Run the Internet
DNS Troubleshooting Tools: What the Pros Actually Use
DNSSEC Downgrade Attack: How Attackers Strip Cryptographic Protection from DNS
What Is DNSSEC and Why Should You Enable It?

Back to the full glossary

Reference

Related terms

See also

Referenced on