Chain of Trust (Root $ ightarrow$ TLD $ ightarrow$ Authoritative Zone)

#The Hierarchy of Verifiable Truth#link

We've seen that the DS record allows a parent to verify a child. But this creates a recursive question: Who verifies the parent? The answer is a 'Chain of Trust' that starts at the very top of the DNS hierarchy: The Root Zone.

The Root Anchor: The Ultimate Source

At the top of the pyramid is the Root Zone (the `.` domain). The public key for the Root Zone is called the 'Root Trust Anchor'. This key is not verified by another record—it is manually hardcoded into every DNS resolver in the world (e.g., inside BIND or Unbound software).

Once the resolver trusts the Root, the process becomes a series of delegations: 1. Root verifies the `.com` TLD via a DS record. 2. The `.com` TLD verifies `google.com` via a DS record. 3. `google.com` verifies the `www` record via an RRSIG.

Visualizing the Chain

Think of it as a series of nested envelopes. You trust the outer envelope (Root). Inside is a note saying 'I trust the person who wrote the next envelope' (TLD). Inside that is a note saying 'I trust the person who wrote the final letter' (Authoritative Zone). If any seal is broken, the whole chain is void.

The 'Island of Trust' Problem

What happens if a domain is signed with DNSSEC, but the parent TLD does not support it or refuses to publish the DS record? This creates an 'Island of Trust'. The records are signed, but there is no chain connecting them to the Root. A validating resolver will treat these records as unsigned, and the security benefits are lost.

• ▪Ensure your registrar supports DS record publishing
• ▪Verify the chain of trust using `dnsviz.net`
• ▪Keep the Root Trust Anchor updated
• ▪Avoid using a private Root for public-facing domains