DNS RRSIG (Resource Record Signature) records are digital signatures used in DNSSEC to provide authentication and integrity verification for DNS data. These records contain cryptographic signatures that prove DNS records have not been tampered with and originate from the legitimate zone owner.
RRSIG records contain digital signatures for other DNS records in the same zone. Each RRSIG record covers a specific set of DNS records (called an RRset) of the same type and name. The signature is created using the private key corresponding to a DNSKEY record in the zone, ensuring that only the zone owner can create valid signatures.
Every RRSIG record includes metadata such as the type of records it covers, the cryptographic algorithm used, the signature validity period, and the key tag identifying which DNSKEY was used to create the signature. This information allows DNSSEC validators to properly verify the signature.
When a DNSSEC-enabled resolver receives DNS records along with their RRSIG signatures, it uses the corresponding DNSKEY record to verify that the signature is valid. The verification process involves checking that the signature was created using the private key matching the public key in the DNSKEY record and that the signature covers the exact DNS data received.
RRSIG records have validity periods defined by signature inception and expiration times. This prevents replay attacks where old, valid signatures might be used maliciously. DNS administrators must regularly re-sign their zones before signatures expire to maintain DNSSEC validation.
The presence of valid RRSIG records provides cryptographic proof that DNS responses are authentic and have not been modified in transit. This protection is crucial for preventing DNS spoofing attacks and ensuring the integrity of DNS-based security mechanisms.
Here's what an RRSIG record looks like for the domain example.com:
