About RRSIG Records
RRSIG (Resource Record Signature) records contain cryptographic signatures for DNS record sets. Each RRSIG record covers a specific record type (A, AAAA, MX, etc.) and proves that those records are authentic and haven't been tampered with. These signatures are created using the Zone Signing Key (ZSK) and can be verified using the corresponding DNSKEY record.
RRSIG records contain critical timing information including signature inception (when the signature was created) and signature expiration (when it becomes invalid). The validity period is typically set to 2-4 weeks, providing a balance between security and operational flexibility. If RRSIG records expire before being re-signed, DNSSEC validation will fail, and resolvers will refuse to return the DNS data.
Monitoring RRSIG expiration dates is crucial for maintaining DNSSEC. Most DNS providers automatically re-sign records before expiration, but it's important to verify this is happening. The decoder tool helps you check expiration dates and identify records that may need attention.
Understanding RRSIG records helps you troubleshoot DNSSEC validation issues, plan for key rotations, and ensure your DNSSEC implementation remains valid. For more information about signature management, see our Troubleshooting Guide.