I’ve yet to come across a diagram showing a DNSSEC chain of trust which I actually like. It took me a long time to design one of my own for my post on CDS/DNSKEY records, but I feel that doesn’t clearly convey the chain I mean.

This is my latest creation:

a diagram showing chain of trust

The text on the blue connectors is a bit small in this rendition (it says “refers to”) – I might have to tweak that. The blue is designed to suggest a link (as on a Web page), which I can use to explain kaputt.

I’d like to thank Horia, Ingo, and Florian for their feedback and suggestions.