SC-20(1) — Child Subspaces

Provide DNS integrity services for child subspaces (subdomains) to maintain the chain of trust from the parent domain.

Example 1: If you delegate subdomains (like dev.company.com), sign the DS (Delegation Signer) records in the parent zone so the entire chain from root to subdomain is DNSSEC-protected.

Example 2: For Active Directory child domains, ensure DNS zone delegation includes proper NS records and that secure dynamic updates are enabled on the child domain's DNS zone, maintaining the same security posture as the parent domain.