Jump to first page
 -51
$ORIGIN .
.     KEY (É) 5TQ3sÉ (8907) ; KSK
      KEY (É) lasE5É (2983)   ; ZSK
1
$ORIGIN net.
net.  KEY (É) q3dEwÉ (7834) ; KSK
        KEY (É) 5TQ3sÉ (5612) ; ZSK
4
$ORIGIN ripe.net.
 ripe.net. KEY (É) rwx002É  (4252) ; KSK
KEY (É) sovP42É  (1111) ; ZSK
7
Walking the Chain of Trust
  Locally configured
  Trusted key: . 8907
2
SIG  KEY (É)  8907 .  69Hw9..
       net.  DS   7834 3 1ab15É
               SIG   DS (É) . 2983
3
ripe.net.   DS   4252 3 1ab15É
                SIG  DS (É) net. 5612
6
5
SIG  KEY (É)  7834 net.  cMaso3Ud...
8
SIG  KEY (É) 4252 ripe.net.  5tUcwU...
www.ripe.net.  A 193.0.0.202
         SIG  A  (É)  1111 ripe.net.  a3Ud...
9
0. Root (".") KSK is manually configured into all resolvers as "trusted key";
1. Root zone itself contains KSK and ZSK (2983)
2. ...  and the signature over the ZSK _with_ (by) the trusted KSK.
3. DS record of the child ("net") is signed with the ZSK (note: italic style).
---
4. DS record in the "root" zone points to the KSK of the "net" zone.
5. With the KSK, the ZSK of the "net" zone is signed, which produces the SIG record over the KSK (by the ZSK).
6. ZSK is also used to sign the DS record of "ripe(.net)".
---
All over again:
7. DS record in he parent ("net") points to the KSK of "ripe.net".
"ripe.net" has two keys: KSK and ZSK;
8. KSK is used to sign the ZSK
(hence, SIGnature by KSK over ZSK)
9. ZSK (italic) is used to sign the zone data, including the A record for "www" (hence, SIGnature by ZSK over A)