A signed zone has multiple RRsets, one for each record type and owner name. (The owner is the domain name of the RRset.) When an authoritative name server uses the private key of the ZSK pair to sign each RRset in a zone, the digital signature on each RRset is stored in an RRSIG record. Therefore, a signed zone contains an RRSIG record for each RRset.
NIOS 8.1NIOS Administrator Guide (Rev. A) 1009
DNSSEC
Following is an example of an RRSIG record: RRset TTL
Expiration Time
Inception Time
Key
Tag Signature Name
corpxyz.com86400 INRRSIG A5 2 86400 20181231235959 20081027145729
49890 corpxyz.com hiZsq1gPtqIKeVuGBbAchPSdg 4vSymSxBsqzueQW4jrjCBsQbH7VH95kdfcAPxhx ZBvwQMgE07dxaOeTpwpaq0vpl6EOV0zLwWhiImw
l7XhOjIarzM8nTf1PJ+4av1KrqB1IPy3693jlChyL8sMT
Owner Name
TTLClass RR
Type Type Covered
Algorithm
0EfwS0tEAwD7Isvt2vW24cE= )
Signature
Number of Labels
Place for Figure with arrows № 1
The first four fields specify the owner name, TTL, class, and RR type. The succeeding fields are:
...