# Get Started with TRAIN

## What is TRAIN?

**TRAIN (TRust mAnagement INfrastructure)** is a framework, led by the team at the [Fraunhofer Institute](https://www.hci.iao.fraunhofer.de/), for establishing and validating decentralized trust. It allows ecosystems to verify whether **Verifiable Credentials (VCs)** were issued by authorized and trustworthy entities through cryptographically linked **trust chains**.

TRAIN includes two core components:

* **TRAIN Trust Validator (TTV)**: A service that validates the issuer of a Verifiable Credential by tracing Verifiable Accreditations up to a trusted root authority.
* **TDZM (Trust-DNS Zone Manager)**: A DNS component that enables **Root Trusted Accreditation Organisations (rTAOs)** to publicly anchor their Decentralized Identifiers (DIDs) in DNS.

Together, these components allow for **governance-aware, high-assurance validation** of digital credentials without centralized trust registries.

***

### How TDZM and the TRAIN Trust Validator Work Together

| Component                       | Purpose                                                                                         |
| ------------------------------- | ----------------------------------------------------------------------------------------------- |
| **TDZM**                        | Anchors rTAO DIDs in DNS, establishing a verifiable and auditable trust root                    |
| **TTV** (TRAIN Trust Validator) | Validates VCs by following Verifiable Accreditations and optionally confirming the rTAO via DNS |

When combined, they allow you to:

* Establish a cryptographically linked trust hierarchy
* Publish root DIDs (rTAOs) in DNS
* Automatically validate credentials against published governance frameworks
* Support scalable, decentralized ecosystems without compromising on assurance

***

## Step-by-Step: Setting Up Trust and Validation

### 1. Deploy **Trust-DNS Zone Manager (**TDZM)

Run the **TDZM backend and UI** using:

* **Docker Compose** (for testing or development)
* **Helm Charts in Kubernetes** (for production)

TDZM includes:

* A DNS nameserver to manage your trust zone
* A backend API and UI for managing records
* Optional OIDC authentication

<table data-card-size="large" data-view="cards"><thead><tr><th></th><th></th><th data-hidden data-card-target data-type="content-ref"></th></tr></thead><tbody><tr><td><mark style="color:blue;"><strong>Deploy TRAIN and Anchor rTAO in DNS</strong></mark></td><td>Add high assurance to your root DID, anchoring it within a DNS record.</td><td><a href="train/deploy">deploy</a></td></tr></tbody></table>

***

### 2. Delegate DNS Control to TDZM

In your parent DNS zone (e.g. `federation1.com`):

* Add an **NS record** pointing your trust subdomain (e.g. `trust.federation1.com`) to TDZM
* Add an **A record** to resolve the nameserver’s domain to its IP

Example:

```
trust.federation1.com. NS ns1.trust.federation1.com.
ns1.trust.federation1.com. A 203.0.113.10
```

***

### 3. Anchor the rTAO DID in DNS

Use TDZM to publish a **TXT or TLSA DNS record** that links your **rTAO’s DID** to the trust domain.

Example:

```
_did.trust.federation1.com. TXT "did:cheqd:mainnet:rtao123"
```

This enables the TRAIN Trust Validator to resolve and verify the rTAO’s authenticity.

***

### 4. Build the Trust Chain

* Publish a **Root Authorization for Trust Chain** from the rTAO
* Issue **Verifiable Accreditations** from rTAO → TAOs → Trusted Issuers
* Define governance rules and credential schema policies as needed

<table data-card-size="large" data-view="cards"><thead><tr><th></th><th></th><th data-hidden data-card-target data-type="content-ref"></th><th data-hidden data-card-cover data-type="files"></th></tr></thead><tbody><tr><td><mark style="color:blue;"><strong>Set up Trust Chain</strong></mark></td><td>Design and build a trust chain for establishing a trust hierarchy in your ecosystem.</td><td><a href="set-up">set-up</a></td><td><a href="https://3569764573-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPVAMvpKH7PYzvXA6u6Cn%2Fuploads%2FxEjgxlDKvTmXV0jRpuTp%2FSet%20Up%20Trust%20Chain.png?alt=media&#x26;token=1d0b8eed-7e73-421e-8eb6-1a4985d2b371">Set Up Trust Chain.png</a></td></tr></tbody></table>

***

### 5. Use the TRAIN Trust Validator (TTV)

Send a JSON request to TTV with the credential’s issuer, type, accreditation path, and optional DNS anchors. TTV will:

* Traverse the Verifiable Accreditation chain
* Verify structural and policy compliance
* Optionally confirm the root via **DNS lookups**
* Return a structured verification result

<table data-card-size="large" data-view="cards"><thead><tr><th></th><th></th><th data-hidden data-card-target data-type="content-ref"></th><th data-hidden data-card-cover data-type="files"></th></tr></thead><tbody><tr><td><mark style="color:blue;"><strong>Validate Trust Chain</strong></mark></td><td>Validate Trust Chain to a root of trust using the TRAIN Trust Validator (TTV).</td><td><a href="train/validate">validate</a></td><td><a href="https://3569764573-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPVAMvpKH7PYzvXA6u6Cn%2Fuploads%2F9U5wm7YlI3Bex2DzrHN6%2Fvalidate%20trust%20chain.png?alt=media&#x26;token=c69e7235-ca94-4111-8a50-afe7909b7a7d">validate trust chain.png</a></td></tr></tbody></table>

***

### Summary

| Goal                    | Component                      |
| ----------------------- | ------------------------------ |
| Anchor rTAO in DNS      | 🌐 TDZM                        |
| Manage trust zones      | 🛠️ TDZM Backend & UI          |
| Define & delegate trust | 📜 Verifiable Accreditations   |
| Validate credentials    | 🔎 TRAIN Trust Validator (TTV) |

***

By combining DNS-based assurance with credential-level verification, the **TRAIN infrastructure** provides a flexible and scalable solution for **decentralized trust governance**.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.cheqd.io/product/studio/trust-registries/train.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.