A cryptographic hash (or simply “hash” or “fingerprint”) is typically a function that can input any of a variety of computer-interpretable objects and output a fixed-size string, e.g., a hexadecimal number. Cryptographic hashes typically have other useful properties such as preimage resistance and collision resistance.
A digital signature, or simply “signature”, is typically the result of applying a private key of an asymmetric cryptographic key pair to a computer-interpretable object. The corresponding public key is published or otherwise made available by the signing entity to the verifying party. The object may first be hashed as part of the signature process. A verifying party can verify the signature by applying the public key to the signature and comparing the result to the object or the hash of the object, depending on the scheme. If the comparison results in a match, then the signature is valid; otherwise it is invalid. Digital signatures typically confer authentication, non-repudiation, and object integrity.
A digital certificate, or simply “certificate”, is typically a package that includes information identifying a public key (e.g., the key itself or a hash of the key), together with information identifying the owner of the key, and a digital signature of at least some of the package contents. The digital signature is produced (i.e., signed) by a trusted party, such as a certificate authority. A digital certificate provides any entity that trusts the party that signed the certificate with the ability to validate that the signed public key is indeed associated with the party identified in the certificate.
The Domain Name System (DNS) is a hierarchical distributed naming system for resources, such as those provided by computer servers, connected to the internet. It associates domain names to Internet Protocol (IP) addresses. The DNS thus allows computers and humans to access networked resources using names.
The DNS is organized into “zones”, the basic unit of organization of authoritative name data for the DNS. The DNS relies on extensive delegation of such authority. In that respect, the term “child” refers to an entity of record to which a “parent” entity delegates name resolution authority for a domain, or portion thereof. The terms “parent” and “child” are also generally identified with the respective zones. The terms “parent” and “child” may also be applied to domain names, where the relationship is sequential (e.g., “example.com” is the parent domain of “_smimecert.example.com”). Ancestral and other relationships may be similarly defined. Note that, although DNS delegations follow the DNS hierarchy, they are not necessarily sequential. That is, a delegation may skip one or more levels in the hierarchy. For example, while the domain “example.com” may be the parent domain of the child domain “_smimecert.example.com”, the domains may or may not be in the relationship of parent and child zone, depending on whether the entity of record for “example.com” has delegated authority to the entity of record for “_smimecert.example.com”, or the entities are the same.
DNS Authentication of Named Entities (DANE) relies on the DNS Security Extensions (DNSSEC) to authenticate data within the DNS, such as public keys and digital certificates associated with domain names. However, by definition, DNSSEC and DANE cannot authenticate data outside of the DNS.