" # works by digitally signing records for DNS lookup using public-key cryptography. The correct DNSKEY record is authenticated via a chain of trust, starting with a set of verified public keys for the DNS root zone which is the trusted third party. Domain owners generate their own keys, and upload them using their DNS control panel at their domain-name registrar, which in turn pushes the keys via secDNS to the zone operator (e.g.: Verisign for .com) who signs and publishes them in DNS." https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions#How_it_works cc @question