An alternating sequence of DNS public key (DNSKEY) RRsets and Delegation Signer (DS) RRsets forms a chain of signed data, with each link in the chain vouching for the next. A DNSKEY RR is used to verify the signature covering a DS RR and allows the DS RR to be authenticated. The DS RR contains a hash of another DNSKEY RR, and this new DNSKEY RR is authenticated by matching the hash in the DS RR. This new DNSKEY RR, in turn, authenticates another DNSKEY RRSet and, in turn, some DNSKEY RR in this set may be used to authenticate another DS RR, and so forth until the chain finally ends with a DNSKEY RR whose corresponding private key signs the desired DNS data. For example, the root DNSKEY RRSet can be used to authenticate the DS RRSet for “example.” The “example.” DS RRSet contains a hash that matches some “example.” DNSKEY, and this DNSKEY’s corresponding private key signs the “example.” DNSKEY RRSet. Private key counterparts of the “example.” DNSKEY RRSet sign data records such as “www.example.” as well as DS RRs for delegations such as “subzone.example.”.
NIST SP 800-81-2