A public key that a DNSSEC-aware resolver has verified and can therefore use to authenticate data. A DNSSEC-aware resolver can obtain authentication keys in three ways. First, the resolver generally is configured to know about at least one public key; this configured data usually is either the public key itself or a hash of the public key as found in the DS RR (see “trust anchor”). Second, the resolver may use an authenticated public key to verify a DS RR and the DNSKEY RR to which the DS RR refers. Third, the resolver may be able to determine that a new public key has been signed by the private key corresponding to another public key that the resolver has verified. Note that the resolver must always be guided by local policy in deciding whether to authenticate a new public key, even if the local policy is simply to authenticate any new public key for which the resolver is able verify the signature.
NIST SP 800-81-2