DNSSEC (1/2)

RFC4033-4035

Purpose: ensure validity of DNS transaction
defend spoofed responses, cache contamination, etc
also ensure the validity of negative response
(defend DoS by spoofed "NXDOMAIN")

Method: public-key based digital signature
maintain per-zone key(s)
RRSIG RR: each RR(set)'s signature
zone's public key: DNSKEY RR
two types of zone's secret keys
ZSK(zone signing key): sign RRs -> RRSIG
KSK(key signing key): sign ZSK

DS: Delegation Signer
a hash of a child's DNSKEY RR
why DS?