VeraId combines DNSSEC with a new Public Key Infrastructure (PKI) to produce signatures that can be linked to a domain name. Every signature contains enough data to be independently verified without external queries, like DNS lookups.
For example, this is how we'd verify a VeraId Signature Bundle attributing "Bazinga!"
to sheldon@caltech.edu:
DNSSEC Chain
_veraid.caltech.edu.
TXT record containing digest of public key of organisation.
X.509 Certificate Chain
caltech.edu
VeraId organisation
CMS SignedData
Any DNSSEC-enabled domain can be a trust anchor in the PKI, but it only has control over itself. This offers far better security than PKIs such as the Transport Layer Security (TLS), where many trust anchors (Certificate Authorities) can issue certificates for any domain.