A DS RR contains a hash of a child zone's KSK and can be used as a trust anchor in some security-aware resolvers and to create a secure delegation point for a signed subzone in DNS servers. As illustrated in Figure 22.1, the DS RR in the parent zone corpxyz.com contains a hash of the KSK of the child zone sales.corpxyz.com, which in turn has a DS record that contains a hash of the KSK of its child zone, nw.sales.corpxyz.com.
Figure 22.1
| Drawio |
|---|
| border | true1 |
|---|
| viewerToolbar | true |
|---|
| fitWindow | falsebaseUrl | https://infoblox-docs.atlassian.net/wiki |
|---|
| diagramName | 22.1 |
|---|
| zoom | 1 |
|---|
| simpleViewer | false |
|---|
| widthpageId | 22252211 |
|---|
| custContentId | 7345821 |
|---|
| lbox | 1 |
|---|
| contentVer | 1 |
|---|
| revision | 1 |
|---|
|
| Drawio |
|---|
| border | true |
|---|
| viewerToolbar | true |
|---|
| fitWindow | false |
|---|
| diagramName | Arrows1 |
|---|
| simpleViewer | false |
|---|
| width | 1 |
|---|
| baseUrl | https://infoblox-docs.atlassian.net/wiki |
|---|
| diagramName | Arrows1 |
|---|
| zoom | 1 |
|---|
| pageId | 22252211 |
|---|
| custContentId | 7345815 |
|---|
| lbox | 1 |
|---|
| contentVer | 1 |
|---|
| revision | 1 |
|---|
|
The first four fields specify the owner name, TTL, class and RR type. The succeeding fields are as follows:
...
