What is the DNSSEC chain of trust?
The DNSSEC (Domain Name System Security Extensions) chain of trust is a verified electronic signature, or handshake, at each DNS lookup node. In other words, it is a chain of lookups validated by the domain name's digital signature that secures the request through all lookup nodes. This ensures that no rogue or illicit player can slip into the lookup path and redirect the lookup to a bogus site.
Here's an example of using your browser to visit coolexample.org:
- Your lookup request goes to the domain name's root server and asks for the location of .org domain names. The root server, which is DNSSEC-aware, indicates the registry for .org domain extensions, PIR.
- The lookup asks PIR, the .org domain name registry and currently DNSSEC-aware, for the location of coolexample.org.
- PIR points the lookup to the authoritative DNS server for coolexample.org. This authoritative nameserver must also be DNSSEC-aware to continue the chain.
- The authoritative DNS server provides the requested address to you and your computer.
From your local computer to the authoritative nameserver for the requested URL and back, a digital signature (or handshake) at each node insures that your request provides the website you requested and that the request is not intercepted by rogue operators along the way.