Another action of trust anchors is to validate certification paths. Because trust anchors represent public keys for corresponding zones, trust anchors must be updated if the public keys for a zone change, such as when a zone is re-signed.

If trust anchors are not removed when a zone is unsigned, dns. The apex trust anchor private key is expected to be controlled by an entity with information assurance responsibility for the trust anchor store. Trustanchorchoice provides three options for representing a trust anchor. In the case of apnic, we will no longer maintain the current set of five trust anchors (which represent resources received from iana and the four other rirs), but will instead certify those resource sets within our certification hierarchy, as further described below.

Much of this authority can be delegated to other trust anchors. The trust anchor indicates the stored keys that have trusted certificates. Additionally, if trust anchors are distributed after a zone is signed and the zone becomes unsigned at a later date, trust anchors for the zone must be removed. The certificate option allows for the use of a certificate with no additional associated constraints.

This trust anchor represents the ultimate authority over the trust anchor store. In many cases, it is convenient to represent a collection of trust anchors. Trust anchors represent the key building blocks of the shyft ecosystem.

There can be some confusion regarding what a trust anchor really does because there is no standard format for the information related to trust anchors. Trustanchorlist is defined as a sequence of one or more trustanchorchoice objects.

