/ˈɑːr-ɑːr-sɪɡ/
n. “Signed. Sealed. Verifiable.”
RRSIG, short for Resource Record Signature, is a record type used by DNSSEC to cryptographically sign DNS data. It is the proof attached to an answer — evidence that a DNS record is authentic, unmodified, and published by the rightful owner of the zone.
In classic DNS, answers arrive naked. No signatures. No verification. A resolver asks a question and trusts the response by default. DNSSEC replaces that blind trust with math, and RRSIG is where the math lives.
An RRSIG record accompanies one or more DNS records of the same type — for example, A, AAAA, MX, or TXT. It contains a digital signature generated using the zone’s private key. That signature covers the record data, the record type, and a defined validity window. Change even a single bit, and verification fails.
When a validating resolver receives DNS data protected by DNSSEC, it also receives the corresponding RRSIG. The resolver retrieves the zone’s public key from a DNSKEY record and checks the signature. If the cryptographic check passes, the data is accepted as authentic. If it fails, the response is rejected — no fallback, no warning page, no partial trust.
RRSIG records are time-bound. Each signature has an inception time and an expiration time. This prevents replay attacks where old but valid data is resent indefinitely. It also means signatures must be refreshed regularly. Let them expire, and the zone effectively disappears for validating clients.
This time sensitivity is one of the reasons DNSSEC is unforgiving. Clock skew, stale signatures, or broken automation can all result in immediate resolution failures. The system assumes that if authenticity cannot be proven, the answer must not be used.
RRSIG does not exist in isolation. It works in concert with DNSKEY to prove signatures and with DS records to link zones together into a chain of trust. From the DNS root, through TLD operators, and down to the individual domain, each layer signs the next. RRSIG is the visible artifact of that trust at every step.
Without RRSIG, DNSSEC would be little more than a promise. With it, DNS answers become verifiable statements rather than suggestions. Cache poisoning attacks, forged responses, and silent redirections lose their power when signatures are enforced.
Consider an attacker attempting to redirect traffic to a fake server. Without DNSSEC, a forged response might succeed if delivered quickly enough. With RRSIG validation enabled, the forged data lacks a valid signature and is discarded before it can do damage.
Like the rest of DNSSEC, RRSIG does not encrypt DNS traffic. Anyone can still observe queries and responses. What it guarantees is that the answers cannot be altered without detection.
RRSIG is quiet when correct and catastrophic when wrong. It either proves the data is real or ensures it is not used at all. There is no middle ground.
In a system once built entirely on trust, RRSIG is the moment DNS learned how to sign its name.