Get Started with TRAIN

Anchor Decentralized Identifiers (DIDs) in DNS records and validate Decentralized Trust Chains (DTCs) using TRAIN.

What is TRAIN?

TRAIN (TRust mAnagement INfrastructure) is a framework, led by the team at the Fraunhofer Institute, for establishing and validating decentralized trust. It allows ecosystems to verify whether Verifiable Credentials (VCs) were issued by authorized and trustworthy entities through cryptographically linked trust chains.

TRAIN includes two core components:

  • TRAIN Trust Validator (TTV): A service that validates the issuer of a Verifiable Credential by tracing Verifiable Accreditations up to a trusted root authority.

  • TDZM (Trust-DNS Zone Manager): A DNS component that enables Root Trusted Accreditation Organisations (rTAOs) to publicly anchor their Decentralized Identifiers (DIDs) in DNS.

Together, these components allow for governance-aware, high-assurance validation of digital credentials without centralized trust registries.

How TDZM and the TRAIN Trust Validator Work Together

Component
Purpose

TDZM

Anchors rTAO DIDs in DNS, establishing a verifiable and auditable trust root

TTV (TRAIN Trust Validator)

Validates VCs by following Verifiable Accreditations and optionally confirming the rTAO via DNS

When combined, they allow you to:

  • Establish a cryptographically linked trust hierarchy

  • Publish root DIDs (rTAOs) in DNS

  • Automatically validate credentials against published governance frameworks

  • Support scalable, decentralized ecosystems without compromising on assurance

Step-by-Step: Setting Up Trust and Validation

1. Deploy Trust-DNS Zone Manager (TDZM)

Run the TDZM backend and UI using:

  • Docker Compose (for testing or development)

  • Helm Charts in Kubernetes (for production)

TDZM includes:

  • A DNS nameserver to manage your trust zone

  • A backend API and UI for managing records

  • Optional OIDC authentication

Deploy TRAIN and Anchor rTAO in DNS

Add high assurance to your root DID, anchoring it within a DNS record.

2. Delegate DNS Control to TDZM

In your parent DNS zone (e.g. federation1.com):

  • Add an NS record pointing your trust subdomain (e.g. trust.federation1.com) to TDZM

  • Add an A record to resolve the nameserver’s domain to its IP

Example:

trust.federation1.com. NS ns1.trust.federation1.com.
ns1.trust.federation1.com. A 203.0.113.10

3. Anchor the rTAO DID in DNS

Use TDZM to publish a TXT or TLSA DNS record that links your rTAO’s DID to the trust domain.

Example:

_did.trust.federation1.com. TXT "did:cheqd:mainnet:rtao123"

This enables the TRAIN Trust Validator to resolve and verify the rTAO’s authenticity.

4. Build the Trust Chain

  • Publish a Root Authorisation for Trust Chain from the rTAO

  • Issue Verifiable Accreditations from rTAO → TAOs → Trusted Issuers

  • Define governance rules and credential schema policies as needed

5. Use the TRAIN Trust Validator (TTV)

Send a JSON request to TTV with the credential’s issuer, type, accreditation path, and optional DNS anchors. TTV will:

  • Traverse the Verifiable Accreditation chain

  • Verify structural and policy compliance

  • Optionally confirm the root via DNS lookups

  • Return a structured verification result

Summary

Goal
Component

Anchor rTAO in DNS

🌐 TDZM

Manage trust zones

🛠ī¸ TDZM Backend & UI

Define & delegate trust

📜 Verifiable Accreditations

Validate credentials

🔎 TRAIN Trust Validator (TTV)

By combining DNS-based assurance with credential-level verification, the TRAIN infrastructure provides a flexible and scalable solution for decentralized trust governance.

Last updated

Was this helpful?