Articles

How the DNSSEC Chain of Trust Validates DNS Responses (2026)

April 16, 2026 4 min read

The most surprising thing about DNSSEC validation is that it doesn’t actually prevent DNS spoofing directly; it just makes it auditable.

Let’s watch a DNSSEC validation unfold. Imagine a client, client.example.com, wants to resolve www.attacker.com.

  1. client.example.com asks its local resolver, resolver.isp.net, for www.attacker.com.
  2. resolver.isp.net doesn’t have it cached, so it asks the root DNS server for attacker.com. The root server doesn’t know www.attacker.com, but it does know who is authoritative for the .com zone. It returns a delegation, including the DS record for .com and the NS records for com., along with the DNSKEY record for the root zone (.).
  3. resolver.isp.net now asks the com. authoritative server for www.attacker.com. The com. server returns the A record for www.attacker.com and its RRSIG record (the signature for the A record). It also returns the DNSKEY record for the com. zone and the DS record for attacker.com.
  4. resolver.isp.net now has the A record, its RRSIG, and the DNSKEY for com.. It needs to verify the DNSKEY for com.. It takes the DS record for com. (which it got from the root server) and the DNSKEY for the root zone (also from the root server). It uses the root’s DNSKEY to verify the DS record for com.. If that verifies, it trusts the DNSKEY for com..
  5. Using the now-trusted DNSKEY for com., resolver.isp.net verifies the RRSIG of the A record for www.attacker.com. If this signature checks out, the resolver knows the A record is authentic from the perspective of the .com zone.
  6. Finally, resolver.isp.net needs to verify the DNSKEY for attacker.com itself. It takes the DS record for attacker.com (which it got from the com. server) and the DNSKEY for the com. zone (which it just verified). It uses the com. zone’s DNSKEY to verify the DS record for attacker.com. If that verifies, it trusts the DNSKEY for attacker.com.
  7. If the client (client.example.com) is DNSSEC-aware and has its own trust anchor for the root zone, it can perform its own validation, or it can trust its resolver if that resolver has a valid trust anchor for the root.

This process is the chain of trust. Each step relies on a cryptographic signature from a parent zone. The root zone’s DNSKEY is the ultimate trust anchor, often pre-configured into validating resolvers (or end-user clients).

The critical components are:

  • DNSKEY records: Contain the public keys for a zone, used to verify signatures.
  • RRSIG records: Contain the digital signature for a specific DNS record set (like an A record).
  • DS (Delegation Signer) records: These are stored in the parent zone and contain a hash of the child zone’s DNSKEY. This is how the parent vouches for the child’s public key.

Let’s look at actual data. Imagine resolving example.com.

A root server might give you:

.com. 172800 IN DS 12345 8 2 ABCDEF1234567890...
.com. 172800 IN DNSKEY 257 3 8 AQID...

Here, 12345 is the key tag, 8 is the algorithm (e.g., RSA/SHA-256), 2 is the digest type (e.g., SHA-256), and ABCDEF... is the digest of the .com zone’s DNSKEY. AQID... is the public DNSKEY for the root zone.

Then, the .com server would give you:

attacker.example.com. 3600 IN A 192.0.2.1
attacker.example.com. 3600 IN RRSIG 1 8 7 20231027120000 20230927120000 12345 attacker.example.com. ...
attacker.example.com. 3600 IN DNSKEY 257 3 8 FGHIJK...
attacker.example.com. 3600 IN DS 67890 8 2 LMNOPQ...

This shows the A record for attacker.example.com, its signature (RRSIG), its DNSKEY, and the DS record for attacker.example.com (which would be used by the .com zone to validate attacker.example.com’s DNSKEY).

The validation process is essentially a series of cryptographic checks: "Can I verify the signature on the DNSKEY for zone X using the DNSKEY for zone Y (which I already trust), and does that DNSKEY for zone X correctly match the DS record published for X in zone Y?"

The most common failure point is a misconfigured or missing DS record in a parent zone, or a zone administrator forgetting to sign new records or rotate keys. The validation process stops dead if a DS record is missing or incorrect, or if an RRSIG record is missing for a record set that should be signed.

If all DNSSEC validation passes, the next thing you’ll likely encounter is the need to understand how to manage DNSSEC signing for your own zones.

Want structured learning?

Take the full Dns course →