A DS RR contains a hash of a child zone's KSK and can be used as a trust anchor in some security-aware resolvers and to create a secure delegation point for a signed subzone in DNS servers. As illustrated in Figure 22.1, the DS RR in the parent zone corpxyz.com contains a hash of the KSK of the child zone sales.corpxyz.com, which in turn has a DS record that contains a hash of the KSK of its child zone, nw.sales.corpxyz.com.
Figure 22.1 Place for Fig. 22.
| Drawio |
|---|
| border | true |
|---|
| viewerToolbar | true |
|---|
| |
|---|
| fitWindow | false |
|---|
| diagramName | 22.1 |
|---|
| simpleViewer | false |
|---|
| width | |
|---|
| revision | 1 |
|---|
|
| Drawio |
|---|
| border | true |
|---|
| viewerToolbar | true |
|---|
| |
|---|
| fitWindow | false |
|---|
| diagramName | Arrows1 |
|---|
| simpleViewer | false |
|---|
| width | |
|---|
| revision | 1 |
|---|
|
...
