RRSIG
DNSSEC Resource Record Signature: the cryptographic signature attached to a DNS record set, proving it has not been tampered with.
An RRSIG (Resource Record Signature) is the DNSSEC record that holds the digital signature for every other record set in a signed zone. When a resolver fetches an A record for a DNSSEC-protected domain, it also fetches the matching RRSIG, then verifies the signature against the zone's DNSKEY. Each RRSIG includes the algorithm, the key tag of the signing key, an inception and expiration time, and the signature itself. Expired RRSIGs are one of the most common DNSSEC outages: signatures must be re-generated before they age out, even if no record content has changed.
Reference
Related terms
See also
Referenced on
- Build a DNS Resolver from Scratch in Node.js
- Build a DNS Resolver from Scratch in Python
- Complete Guide to DNS Attacks and DNS Security (Prevention, Testing & Mitigation)
- DNS Amplification Attack Explained: How Open Resolvers Enable Massive DDoS
- DNS Troubleshooting Tools: What the Pros Actually Use
- DNS Zone Transfer Attack (AXFR): How a Single Query Exposes Your Entire Domain
- DNS Zone Walking for Subdomain Enumeration: How NSEC Exposes Your Subdomains
- DNSSEC Downgrade Attack: How Attackers Strip Cryptographic Protection from DNS
- Home
- How DNS Queries Work: A Developer's Guide to the DNS Protocol
- NXDOMAIN Attack: How Nonexistent Domain Floods Exhaust DNS Resolvers
- The Complete dig Command Guide: Every Flag and Option Explained
- What Is DNS Cache Poisoning? How It Works and How to Prevent It
- What Is DNSSEC and Why Should You Enable It?
- What Is NXDOMAIN? Understanding the 'Domain Does Not Exist' DNS Response
- What Is SERVFAIL? Understanding DNS Server Failure Responses