U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.


Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

A  |  B  |  C  |  D  |  E  |  F  |  G  |  H  |  I  |  J  |  K  |  L  |  M  |  N  |  O  |  P  |  Q  |  R  |  S  |  T  |  U  |  V  |  W  |  X  |  Y  |  Z

authentication chain

Abbreviation(s) and Synonym(s):

Chain of Trust


  An alternating sequence of DNS public key (DNSKEY) RRsets and Delegation Signer (DS) RRsets forms a chain of signed data, with each link in the chain vouching for the next. A DNSKEY RR is used to verify the signature covering a DS RR and allows the DS RR to be authenticated. The DS RR contains a hash of another DNSKEY RR, and this new DNSKEY RR is authenticated by matching the hash in the DS RR. This new DNSKEY RR, in turn, authenticates another DNSKEY RRSet and, in turn, some DNSKEY RR in this set may be used to authenticate another DS RR, and so forth until the chain finally ends with a DNSKEY RR whose corresponding private key signs the desired DNS data. For example, the root DNSKEY RRSet can be used to authenticate the DS RRSet for “example.” The “example.” DS RRSet contains a hash that matches some “example.” DNSKEY, and this DNSKEY’s corresponding private key signs the “example.” DNSKEY RRSet. Private key counterparts of the “example.” DNSKEY RRSet sign data records such as “www.example.” as well as DS RRs for delegations such as “subzone.example.”
NIST SP 800-81-2 under Authentication Chain

  See “authentication chain.”
NIST SP 800-81-2 under Chain of Trust

  A method for maintaining valid trust boundaries by applying a principle of transitive trust, where each software module in a system boot process is required to measure the next module before transitioning control.
NISTIR 8320 under Chain of Trust