RRSIG Lookup
Shortcuts: / or Ctrl+L to focus, Esc to return
RRSIG lookups reveal which datasets are signed, when those signatures expire, and which key produced them. Monitoring these details helps you anticipate signature refresh windows and spot validation issues before users notice.
Frequently Asked Questions
- What is an RRSIG record?
- An RRSIG record carries the digital signature for a DNS RRset, letting validators confirm the data was produced by an authorized key.
- What does type-covered mean in RRSIG?
- Type-covered identifies which RRset the signature protects, such as A, AAAA, MX, or DNSKEY records.
- Why do inception and expiration matter?
- Resolvers only trust a signature within its inception and expiration window; outside that period validation fails even if the data is unchanged.
- What causes an RRSIG validation failure?
- Expired signatures, mismatched DNSKEY material, or large clock skew between signer and resolver are the most common causes of RRSIG failures.
- Why are there multiple RRSIGs on the same RRset?
- Operators may publish parallel signatures from different keys or algorithms during rollovers so validators accept either signature.
- How can I tell which key signed an RRSIG?
- Match the key tag and algorithm in the RRSIG to a DNSKEY record; that key's public material verifies the signature.