For DNSSEC to work, the recipient needs to know that the public key in use is trustworthy. The resolver asks the name server for its public key, but that public key is used to verify its own identity, which isn’t very secure or verifiable.
To resolve this problem, a "chain of trust" is established. The chain starts by adding an "anchor" at the root name servers. Then each "link" in the "chain" is signed against the previous "link." Here is an example using www.example.com.au, which is an A record.
- www.example.com.au is signed at the nameservers for example.com.au;
- example.com.au is signed by the 2LD servers for .com.au;
- .com.au is signed by the ccTLD nameservers for .au, and;
- .au is is signed by the root nameservers.
An anchor for .au is stored on the root nameservers in the form of a DS (Delegation Signer) record.