Trust Anchor In DNS: What It Is and Why It Matters

When looking at the Domain Name System (DNS) Analysis for June 2025, one of the report’s key insights was that the trust anchor (TA) lookups increased by 26.9% along with the DNSSEC lookaside validation (DLV) 25.6% growth and the Responsible Party (RP) 28.2% growth. These gains indicate continued industry efforts to harden DNS against tampering and spoofing.

Recent research provides some insights into why these numbers in the Vercara DNS Analysis report matter to an organizations security. The research found that between March 27 and September 21, 2024, 6,729 new records processed were flagged as DNS hijacking, resulting in an average of 38 DNS hijack records per day. While these DNS hijack cases primary existed for malicious actors to engage in cybercriminal activities, threat actors can also use DNS hijacking for cyber espionage.

The increased use of trust anchor lookups which indicates efforts to leverage DNS Security Extensions (DNSSEC), the configurations that protect digital infrastructures, show that organizations are recognizing that these are more than magical inputs, especially when security and network teams dig into the individual elements.

At the core of DNS operations, trust anchors serve as essential elements that establish and affirm a chain of trust for domain name queries that help implement cryptographic keys. Without trust anchors, network and internet communications would be far less secure. With insight into what trust anchors do and how they improve security, organizations can better understand why the June 2025 increase in TA lookups indicates an attempt to mitigate DNS tampering and spoofing risks.

What Is a Trust Anchor in DNS?

In DNS, a trust anchor is a component of DNSSEC validation that ensures DNS data’s integrity and authenticity. As a public cryptographic key, it serves as a security entry point for authenticating DNS responses. Typically, non-authoritative DNS servers install trust anchors to enable DNSSEC validation, verifying DNS data legitimacy from designated zones.

At a very basic level, organizations should understand the following about trust anchors:

• Purpose: Authenticate DNSSEC responses, safeguarding the integrity of DNS information.
• Configuration: Use resource records (RR) for zone-signing key and key-signing key (DNSKEY RR) or the hash of a child-zone’s key-signing key in the DS RR.
• Functionality: Begin the validation chain so that DNSSEC-aware resolvers can verify digital signatures.
• Source: Obtained from secure sources external to the DNS protocol that point to signed zones.

What Role Do Trust Anchors Play in DNS Operations?

Trust anchors serve as reference points for validation of domain name data’s authenticity and integrity. For a secure and stable DNS infrastructures, periodic updates to DNSSEC trust anchors are made by organizations that manage the internet infrastructure, like the Internet Corporation for Assigned Names and Numbers (ICANN).

Establishing a Chain of Trust

The chain of trust begins with trust anchors, which act as starting points for validating domain name data authenticity. They verify signed DNS responses when the validating resolver compares the key it holds with the root key obtained from a root name server to maintain and strengthen trust down the chain from the root zone to the individual domain level.

However, compromised or unexpectedly changed trust anchor keys can disrupt the chain of trust which ultimately means a failure to resolve DNS queries, resulting in a service outage.

Validating DNS Responses

DNSSEC validation relies on trust anchors. Resolvers validate the digital signatures on the root zone using the trust anchor key. By following the DS to DNSKEY chain through each level of the DNS hierarchy, they ensure that each link is cryptographically valid to ensure that the entire chain is trusted.

Without a trust anchor,  the resolver has no way to authenticate DNSSEC signatures which would leave DNSSEC validation insecure or impossible.

How Do Trust Anchors Relate to DNS Validating Resolvers?

A DNSSEC-aware recursive server ensures the authenticity of DNS responses by working with trust anchors to validate DNSSEC-enabled domains through the following steps:

• Query received: Client sends a query to the validating resolver for a domain.
• Recursive lookup: The resolver queries the root, the domain, and the URL.
• DNSSEC record retrieval: The resolver requests DNSSEC records looking for each zone in the DNS hierarchy to return its digital signature and public key information.
• Chain of trust validation: The resolver uses the trust anchor to validate the root’s zone-signing key (ZSK), the DS record, and the DNSKEY to validate the DS record.
• Validation outcome: The resolver returns a secure answer if the chain of trust is intact with valid signatures or an error if validation fails, like SERVFAIL or a DNSSEC-related error.

What is a Trust Anchor Rollover?

A trust anchor rollover is the process of updating the cryptographic keys that act as trust anchors within DNSSEC-enabled systems. The process preserves DNSSEC response trustworthiness by ensuring that the security credentials used to validate DNSSEC signatures are regularly updated. Trust anchor rollovers can occur for various reasons, including:

• Key expirations
• Routine security updates
• Potential key compromises

Performing a rollover requires the following steps to ensure the continued integrity of the DNSSEC validation chain:

• Evaluating the existing trust anchor to identify the optimal timing for the key rollover.
• Generating a new key-signing key (KSK) to serve as the new signing key for the DNS zone.
• Publishing the new key in the DNS zone as a DNSKEY RR.
• Implementing a buffer period during which both the old and new keys are valid so all systems can update their trust anchors.
• Monitoring key rollovers to confirm DNSSEC validation continues without interruption.
• Retiring the old key to complete the rollover process.

What Is Trust Anchor Telemetry?

Trust anchor telemetry enables organizations to understand how resolvers handle updates during key rollovers like KSK rollovers. Software vendors and organizations use telemetry data to improve DNSSEC deployment and troubleshoot validation issues.

After configuring DNSSEC-aware resolver to send telemetry to trusted servers, organizations can gather information about trust anchor usage, including key tags and signing keys, to:

• Analyze trends: Review telemetry data to understand resolver behavior, particularly how they manage key upgrades.
• Improve DNSSEC trust anchors: Use insights to ensure smooth trust point transitions, especially in the event of key rollovers.

How to Troubleshoot Common Trust Anchor Issues

Trust anchor issues can lead to service outages or DNS errors. To troubleshoot common issues and maintain service availability, some best practices include:

• Checking configurations: Misconfigured trust anchors or missing DNSSEC trust anchors can cause validation failures.
• Verifying public keys: Mismatched KSKs or ZSKs in DNSSEC setup can break the validation chain.
• Inspect resource records: Errors in the DNSKEY RR and DS RR can create issues.
• Review key rollover: Errors in the key rollover procedures can disrupt DNS queries.
• Test with DNSSEC-aware resolvers: Validating the signatures with DNSSEC-aware resolvers can identify system issues.

UltraDNS: Easy-to-Implement DNSSEC

UltraDNS provides an automated, RFC-compliance solution that enables organizations to mitigate DNS cache poisoning, spoofing, and hijacking risks by simplifying key management in DNSSEC. With UltraDNS, organizations can automated ZSK key rollovers or streamline manual processes by setting notifications when rollovers are necessary. UltraDNS provides a cost-efficient, DNSSEC-compliance platform to reduce the challenges arising from new policies, DNS server upgrades, and larger domain zone, meaning that organizations can improve DNS security without requiring additional staff to manage key management.