What is a DNS signature (RRSIG)?
What it contains:
- Cryptographic signature of a record set
- Signing algorithm identifier
- Expiration time
- Key identifier
How verification works:
- Resolver requests record (e.g., TXT)
- Receives record plus RRSIG
- Retrieves public key (DNSKEY record)
- Verifies signature matches record
Signature chain:
- Root signs TLD
- TLD signs your domain
- Your domain signs records
- Chain of trust from root to record
Official notary seal on each document. Verifiable chain of authentication from the highest authority.
Need personalized help?
Understand DNSSEC signatures and whether you need them. Open an AI assistant with your question pre-loaded — just add your details and send.
Was this answer helpful?
Thanks for your feedback!