safe location and protect them from unauthorized access. Anyone with
access to the private key can create fake but seemingly valid DNS data.
+
.. _dnssec_kasp:
Fully Automated (Key and Signing Policy)
corresponding ``DS`` records) that are the secure entry point to the zone.
+.. _secure_delegation:
+
+Secure Delegation
+~~~~~~~~~~~~~~~~~
+
+Once a zone is signed on the authoritative servers, the last remaining step
+is to establish chain of trust [#validation]_ between the parent zone
+(``example.``) and the local zone (``dnssec.example.``).
+
+Generally the procedure is:
+
+ - **Wait** for stale data to expire from caches. The amount of time required
+ is equal to the maximum TTL value used in the zone before signing. This
+ step ensures that unsigned data expire from caches and resolvers do not get
+ confused by missing signatures.
+ - Insert/update DS records in the parent zone (``dnssec.example. DS`` record).
+
+There are multiple ways to update DS records in the parent zone. Refer to the
+documentation for the parent zone to find out which options are applicable to
+a given case zone. Generally the options are, from most- to least-recommended:
+
+ - Automatically update the DS record in the parent zone using
+ ``CDS``/``CDNSKEY`` records automatically generated by BIND. This requires
+ support for :rfc:`7344` in either parent zone, registry, or registrar. In
+ that case, configure BIND to :ref:`monitor DS records in the parent
+ zone <cds_cdnskey>` and everything will happen automatically at the right
+ time.
+ - Query the zone for automatically generated ``CDS`` or ``CDNSKEY`` records using
+ :iscman:`dig`, and then insert these records into the parent zone using
+ the method specified by the parent zone (web form, e-mail, API, ...).
+ - Generate DS records manually using the :iscman:`dnssec-dsfromkey` utility on
+ `zone keys`_, and then insert them into the parent zone.
+
+.. [#validation] For further details on how the chain of trust is used in practice, see
+ :ref:`dnssec_12_steps` in the :doc:`dnssec-guide`.
+
+
+
DNSSEC Validation
~~~~~~~~~~~~~~~~~