-50
nData in zone can be trusted if
signed by a Zone-Signing-Key
nZone-Signing-Keys can be trusted
if signed by a Key-Signing-Key
nKey-Signing-Key can be trusted if
pointed to by trusted DS
record
nDS record can be trusted
uif signed by the parents
Zone-Signing-Key
or
uDS or Key records can be trusted
if exchanged out-of-band
and locally stored (Secure entry point)
Chain of Trust Verification, Summary