A signed zone has multiple RRsets, one for each record type and owner name. (The owner is the domain name of the RRset.) When an authoritative name server uses the private key of the ZSK pair to sign each RRset in a zone, the digital signature on each RRset is stored in an RRSIG record. Therefore, a signed zone contains an RRSIG record for each RRset.
NIOS 8.1NIOS Administrator Guide (Rev. A) 1009
DNSSEC
Following is an example of an RRSIG record:
RRset TTL
Expiration Time
Inception Time
Key
Tag Signature Name
corpxyz.com86400 INRRSIG A5 2 86400 20181231235959 20081027145729
49890 corpxyz.com hiZsq1gPtqIKeVuGBbAchPSdg 4vSymSxBsqzueQW4jrjCBsQbH7VH95kdfcAPxhx ZBvwQMgE07dxaOeTpwpaq0vpl6EOV0zLwWhiImw
l7XhOjIarzM8nTf1PJ+4av1KrqB1IPy3693jlChyL8sMT
Owner Name
TTLClass RR
Type Type Covered
Algorithm
0EfwS0tEAwD7Isvt2vW24cE= )
Signature
Number of Labels
The first four fields specify the owner name, TTL, class, and RR type. The succeeding fields are:
- Type Covered: The RR type covered by the RRSIG record. The RRSIG record in the example covers the A records for corpxyz.com.
- Algorithm: The cryptographic algorithm that was used to create the signature. It uses the same algorithm types as the DNSKEY record indicated in the Key Tag field.
- Number of Labels: Indicates the number of labels in the owner name of the signed records. There are two labels in the example, corpxyz and com.
- RRset TTL: The TTL value of the RRset covered by the RRSIG record.
- Expiration Time: The signature expiration time in UTC format.
- Inception Time: The signature inception time in UTC format.
- Key Tag: The key tag value of the DNSKEY RR that validates the signature.
- Signature Name: The zone name of the RRset.
- Public Key: The Base64 encoding of the signature.