authentication key
Click on the red underlined text to get to the source
... authenticate data. A
security-aware resolver can obtain authentication keys in three
ways. First, the resolver is generally configured to know about
at least one public key ...
... security or its descendents can only
be authenticated if its authentication keys can be authenticated
by some trusted means out of band from the DNS ...
... Key Signing Key (KSK): An authentication key that corresponds to a
private key used to sign one or more other authentication keys ...
... authentication key that corresponds to a
private key used to sign one or more other authentication keys for
a given zone. Typically, the private key corresponding to a key
...
... period in order to provide a more stable secure entry point into
the zone. Designating an authentication key as a key signing key
is purely an operational issue: DNSSEC validation ...
... signing keys and other DNSSEC
authentication keys, and it is possible to use a single key as
both a key signing key and a zone signing key ...
... Zone Signing Key (ZSK): An authentication key that corresponds to a
private key used to sign a zone. Typically, a zone signing key ...
... validity
lifetime. Designating an authentication key as a zone signing key
is purely an operational issue; DNSSEC validation ...
... zone signing keys and other DNSSEC
authentication keys, and it is possible to use a single key as
both a key signing key and a zone signing key ...
... resolution, the target key itself has to be signed by either a
configured authentication key or another key that has been
authenticated ...
... also be capable of forming an authentication chain from a newly
learned zone back to an authentication key, as described above. This
process might require additional queries to intermediate DNS zones ...
... security-aware resolver cannot
obtain and validate the authentication keys it needs, then the
security-aware resolver cannot validate ...