A signed, delegated zone that does not have an authentication chain from its delegating parent. That is, there is no DS RR containing a hash of a DNSKEY RR for the island in its delegating parent zone. An island of security is served by DNSSEC-aware name servers and may provide authentication chains to any delegated child zones. Responses from an island of security or its descendents can be authenticated only if its authentication keys can be authenticated by some trusted means out of band from the DNS protocol.

Source: NIST SP 800-81-2 | Category: