anchor
Click on the red underlined text to get to the source
... public key as found in the
DS RR (see "trust anchor"). Second, the resolver may use an
authenticated public key ...
... DNS response. In general, a validating resolver will have to
obtain the initial values of its trust anchors via some secure or
trusted means outside the DNS protocol. Presence of a trust
anchor ...
... trust anchors via some secure or
trusted means outside the DNS protocol. Presence of a trust
anchor also implies that the resolver should expect the zone to
which the trust anchor points to be signed.
...
... DNS protocol. Presence of a trust
anchor also implies that the resolver should expect the zone to
which the trust anchor points to be signed.
Unsigned Zone: A zone that is not signed.
...
... security-aware resolver can learn a zone's public key either by
having a trust anchor configured into the resolver or by normal DNS
resolution. To allow the latter, public keys ...
... which in turn either has been configured into the resolver or must
have been learned and verified previously. Therefore, the resolver
must be configured with at least one trust anchor.
If the configured trust anchor ...
... trust anchor.
If the configured trust anchor is a zone signing key, then it will
authenticate ...
... authenticate a zone signing key. If the
configured trust anchor is the hash of a key rather than the key
itself, the resolver may have to obtain the key via a DNS query ...
... A validating resolver can determine the following 4 states:
Secure: The validating resolver has a trust anchor, has a chain of
trust, and is able to verify all the signatures ...
... signatures in the response.
Insecure: The validating resolver has a trust anchor, a chain of
trust, and, at some delegation ...
... insecure.
Bogus: The validating resolver has a trust anchor and a secure
delegation indicating that subsidiary data is signed, but the
...
... forth.
Indeterminate: There is no trust anchor that would indicate that a
specific portion of the tree is secure. This is the default
...
... RRSIG records. A security-aware
resolver should be configured with at least one trust anchor as the
starting point from which it will attempt to establish authentication ...