What Is an RRSIG Record?
Understanding RRSIG (Resource Record Signature) records and DNSSEC signatures
Table of Contents
What Is an RRSIG Record?
An RRSIG (Resource Record Signature) record is a DNSSEC record that contains cryptographic signatures for DNS records. RRSIG records enable DNSSEC validation by providing signatures that DNS resolvers use to verify DNS record authenticity and integrity.
RRSIG records include: type covered (DNS record type being signed), algorithm (signing algorithm), labels (number of labels in name), original TTL (TTL of signed record), signature expiration (when signature expires), signature inception (when signature was created), key tag (identifies DNSKEY used), signer name (domain name of signer), and signature (cryptographic signature).
RRSIG records are essential for DNSSEC - without RRSIG records, DNS records cannot be verified. Learn more about DNSSEC and DNSKEY records.
RRSIG Record Purpose
DNS Record Signing
RRSIG records cryptographically sign DNS records (A, MX, TXT, etc.), providing proof of authenticity and integrity.
Signature Verification
DNS resolvers use RRSIG signatures to verify DNS records are authentic and haven't been tampered with during transmission.
DNSSEC Validation
RRSIG records enable DNSSEC validation by providing signatures that can be verified using DNSKEY public keys.
Protection Against Attacks
RRSIG records protect against DNS spoofing and cache poisoning by ensuring DNS records are authentic.
Record Integrity
RRSIG records ensure DNS record integrity, preventing unauthorized modification of DNS records.
RRSIG Record Format
Record Format
RRSIG records follow this format: type-covered algorithm labels original-ttl signature-expiration signature-inception key-tag signer-name signature
Example RRSIG Record
example.com. RRSIG A 13 2 3600 20240101000000 20231201000000 12345 example.com. base64-signature...
- Type Covered: A (DNS record type being signed)
- Algorithm: 13 (ECDSA-P256), 8 (RSA-SHA256), etc.
- Labels: 2 (number of labels in domain name)
- Original TTL: 3600 (TTL of signed record)
- Signature Expiration: When signature expires
- Signature Inception: When signature was created
- Key Tag: 12345 (identifies DNSKEY used)
- Signer Name: example.com (domain name of signer)
- Signature: Base64-encoded cryptographic signature
Signature Expiration
RRSIG signatures expire after a set time period, requiring periodic re-signing of DNS records.
Key Tag
Key tag identifies which DNSKEY record was used to create the signature, enabling signature verification.
Signature Verification
Verification Process
DNS resolvers verify RRSIG signatures by: retrieving DNSKEY public key using key tag, verifying signature using public key and algorithm, checking signature hasn't expired, and ensuring signature matches DNS record.
Verification Success
If signature verification succeeds, DNS resolver accepts DNS record as authentic and untampered.
Verification Failure
If signature verification fails, DNS resolver rejects DNS record. Learn more about why DNSSEC validation fails.
Signature Expiration
Expired signatures cause validation failure, requiring DNS records to be re-signed with new RRSIG records.
Key Rotation
When DNSKEY records are rotated, new RRSIG records must be created using new DNSKEY records.
Checking RRSIG Records
1. DNS Lookup Tools
Use DNS lookup tools to query RRSIG records and retrieve signature information for DNSSEC-signed DNS records.
2. Command Line Tools
Use command-line tools (dig) to query RRSIG records: dig RRSIG example.com
3. Signature Verification
Verify RRSIG signatures are valid, haven't expired, and match DNSKEY records used for signing.
4. DNSSEC Validation
Test DNSSEC validation to verify RRSIG records enable proper signature verification and DNSSEC validation works correctly.
5. Signature Expiration
Monitor RRSIG signature expiration dates to ensure DNS records are re-signed before signatures expire.
