DNSSEC Chain of Trust
Hover a zone in the signature chain to see what it proves. Resolver validates bottom-up.
flowchart TD
Root["Root zone .
Root KSK = trust anchor ✓
(ships with every validator)"]:::anchor TLD["TLD zone .example
DS record in root points to TLD KSK"]:::link Bank["bank.example zone
DS record in TLD points to bank KSK"]:::link Rec["www.bank.example A record
returned to resolver: A record + RRSIG"]:::leaf Root -->|signs| TLD TLD -->|signs| Bank Bank -->|signs| Rec classDef anchor fill:#2e7d32,stroke:#1b5e20,stroke-width:3px,color:#ffffff,font-size:14px classDef link fill:#1565c0,stroke:#0d3a73,stroke-width:2px,color:#ffffff,font-size:14px classDef leaf fill:#90a4ae,stroke:#455a64,stroke-width:2px,color:#ffffff,font-size:14px linkStyle default stroke:#1565c0,stroke-width:2.5px,font-size:14px
Root KSK = trust anchor ✓
(ships with every validator)"]:::anchor TLD["TLD zone .example
DS record in root points to TLD KSK"]:::link Bank["bank.example zone
DS record in TLD points to bank KSK"]:::link Rec["www.bank.example A record
returned to resolver: A record + RRSIG"]:::leaf Root -->|signs| TLD TLD -->|signs| Bank Bank -->|signs| Rec classDef anchor fill:#2e7d32,stroke:#1b5e20,stroke-width:3px,color:#ffffff,font-size:14px classDef link fill:#1565c0,stroke:#0d3a73,stroke-width:2px,color:#ffffff,font-size:14px classDef leaf fill:#90a4ae,stroke:#455a64,stroke-width:2px,color:#ffffff,font-size:14px linkStyle default stroke:#1565c0,stroke-width:2.5px,font-size:14px
What the resolver does on lookup
- Receive A record + signature for www.bank.example
- Verify ZSK signature using bank's KSK
- Verify bank's KSK using the DS record in .example
- Verify .example keys using the DS record in root
- Compare root KSK to the trust anchor — if it matches, ACCEPT
Any failure → REJECT. A broken or missing link returns SERVFAIL — the resolver refuses the answer rather than trusting it.
Hover a zone above for details.