An RRSIG-record holds a DNSSEC signature for a record set (one or more DNS records with the same name and type).

Resolvers can verify the signature with a public key stored in a DNSKEY-record.

 

RRSIG-records have the following data elements:

- Type Covered: DNS record type that this signature covers.

- Algorithm: Cryptographic algorithm used to create the signature.

- Labels: Number of labels in the original RRSIG-record name (used to validate wildcards).

- Original TTL: TTL value of the covered record set.

- Signature Expiration: When the signature expires.

- Signature Inception: When the signature was created.

- Key Tag: A short numeric value which can help quickly identify the DNSKEY-record which can be used to validate this signature.

- Signer's Name: Name of the DNSKEY-record which can be used to validate this signature.

- Signature: Cryptographic signature.

 

To add RRSIG-records to a zone, use the DNSSEC Sign Zone function.

 

This record type is defined in RFC4034.