How long are RRSIG signatures valid?

RRSIG signatures typically have a validity period of 1-4 weeks. The zone must be re-signed before signatures expire, or resolvers will reject the DNS data as invalid.

What causes RRSIG validation failures?

Common causes include expired signatures, clock skew between servers, key tag mismatch with DNSKEY, missing RRSIG records, or corrupted signature data. Ensure server clocks are synchronized and signatures are regularly renewed.

How do I check RRSIG records?

Use 'dig example.com A +dnssec' to see RRSIG records with the signed data, or 'dig example.com RRSIG' to query RRSIG records directly. The 'delv' command validates the entire DNSSEC chain.

RRSIG Record DNSSEC

Q: What is an RRSIG record?

An RRSIG (Resource Record Signature) record contains the cryptographic signature for a DNS record set. It's the core mechanism that allows DNSSEC to prove that DNS data is authentic and hasn't been modified in transit.

The RRSIG record (Resource Record Signature) contains the cryptographic signature for a DNS record set. It's the core mechanism that allows DNSSEC to prove that DNS data is authentic and hasn't been modified in transit.

Look Up RRSIG Records

Check RRSIG records for any domain using our free DNS lookup tool.

Look Up RRSIG Records →

What Is an RRSIG Record?

Every DNS record set in a DNSSEC-signed zone has an associated RRSIG record. The RRSIG contains:

A digital signature of the record data
Information about which key created the signature
Validity period (inception and expiration times)

When a resolver receives a DNS response, it verifies the RRSIG using the zone's DNSKEY.

RRSIG Record Format

Example RRSIG Record

example.com.    3600    IN    RRSIG    A 13 2 3600 (
                        20240315000000 20240215000000 12345 example.com.
                        oJB1W6WNGv...signature... )

RRSIG Record Fields

Field	Description	Example
Type Covered	Record type being signed	A, MX, AAAA, etc.
Algorithm	Signing algorithm	13 (ECDSA)
Labels	Number of labels in name	2 (example.com)
Original TTL	TTL used when signing	3600
Signature Expiration	When signature expires	20240315000000
Signature Inception	When signature became valid	20240215000000
Key Tag	Identifier of signing key	12345
Signer's Name	Zone containing DNSKEY	example.com.
Signature	Base64-encoded signature	oJB1W6WNGv...

How RRSIG Validation Works

Resolver receives DNS response with RRSIG
Checks signature inception/expiration times
Fetches DNSKEY using key tag from RRSIG
Verifies chain of trust via DS records
Uses DNSKEY to verify RRSIG signature
If valid, trusts the DNS data

RRSIG Signature Validity

RRSIG records have an expiration time. Once expired, the signature is no longer valid and resolvers will reject the data. Key considerations:

Typical validity — 1-4 weeks
Must re-sign before expiration — Zone must be re-signed regularly
Clock skew tolerance — Resolvers allow some time variation

RRSIG Best Practices

Automate re-signing — Set up automatic zone re-signing before expiration.
Monitor signature expiration — Alert before signatures expire.
Use appropriate validity periods — Balance between security and operational overhead.
Ensure time synchronization — Servers must have accurate clocks (NTP).
Sign all record types — Every RRset needs an RRSIG (except RRSIG itself).

Checking RRSIG Records

# Query with DNSSEC info
dig example.com A +dnssec

# Just the RRSIG records
dig example.com RRSIG

# Validate DNSSEC chain
delv example.com @8.8.8.8

Troubleshooting RRSIG

Common issues and solutions:

SERVFAIL responses — Signature expired or invalid; re-sign the zone.
Signature expiration — Set up automated re-signing.
Key tag mismatch — RRSIG key tag doesn't match any DNSKEY.
Clock skew — Ensure server clocks are synchronized with NTP.
Missing RRSIG — Zone not properly signed; re-run signing process.

Check Your RRSIG Records

Use our DNS Record Finder to look up RRSIG records for any domain.