HomeDNS ToolsRRSIG Lookup
DNS Tool

RRSIG Lookup

Lookup RRSIG records and inspect DNSSEC signature lifetimes and signer data. Run fast checks, interpret results, and use related tools for validation.

Record Type
RRSIG
Focused record verification for targeted DNS troubleshooting.
Best Use
Migration + incident checks
Validate live DNS answers during change windows.
Operational Context
Use this page to validate live resolver output during DNS cutovers, outage triage, and post-change verification windows.
RRSIG Lookup — Start Here
Waiting for input
Enter a domain and run check
How to Use

Use RRSIG Lookup in 4 Steps

01
Enter domain
Input the target domain in clean hostname format (no path or query string).
02
Run RRSIG Lookup
Execute RRSIG Lookup to pull live resolver output for this record scope.
03
Compare expected vs live
Match returned values with your intended DNS configuration at the source.
04
Cross-check related tools
Validate adjacent DNS layers to isolate cache vs source problems.

What is RRSIG Lookup?

RRSIG records are cryptographic signatures over RRsets (groups of DNS records of the same type) that prove zone data integrity for DNSSEC-enabled zones. Each RRset in a signed zone has a corresponding RRSIG record created by the zone's ZSK.

RRSIG records have a validity window defined by inception and expiration timestamps. Resolvers reject RRSIGs outside their validity window, causing SERVFAIL. Zones must be continuously re-signed before signatures expire — most DNSSEC-capable DNS providers automate this, but self-managed zones require a signing scheduler.

Best Use
Signature-expiry diagnostics and resolver DNSSEC validation troubleshooting.
Common Mistake
Letting signatures expire after a zone re-signing outage or mis-scheduled re-sign operation. Expired RRSIGs cause immediate SERVFAIL for all validating resolvers.
Validation Path
Check inception/expiration windows against the current timestamp, and verify that the RRSIG's covered record type matches the target RRset.

Quick Interpretation Table

Use this reference to diagnose common outcomes when running RRSIG Lookup.

Observed ResultLikely CauseNext Step
RRSIG missing for an RRset in a signed zoneUnsigned RRset — signer didn't include this record typeTrigger a full zone re-sign and verify signer health
RRSIG expiration timestamp in the pastSignature expired — resolvers reject itRegenerate and republish signatures immediately to restore resolution
"Covers" type doesn't match queried RRsetInvalid signature mappingCheck signer configuration for the target RRset type

CLI Examples

Run these commands directly from a terminal to verify RRSIG records without relying on a browser-based tool.

dig A example.com +dnssec
Query A records and include RRSIG signatures in the response
dig RRSIG example.com
Query RRSIG records directly for the zone apex
dig +sigchase +trusted-key=/etc/trusted-key.key A example.com
Validate the full DNSSEC signature chain (requires BIND dig with sigchase support)
delv @8.8.8.8 A example.com
DNSSEC-validating lookup using delv (BIND DNS lookup and validation tool)

Troubleshooting Workflow

  • Run this record check first for a scoped signal on the target hostname.
  • Validate nameserver authority and SOA context if results are unexpected.
  • Use propagation checks when different regions return different values.
  • Re-run after applying fixes and compare values against your expected configuration.

Frequently Asked Questions

What is an RRSIG record?
An RRSIG (Resource Record Signature) record is a cryptographic signature over a specific RRset (a group of DNS records of the same type at the same name). Each signed RRset has a corresponding RRSIG created by the zone's Zone Signing Key (ZSK). Resolvers verify RRSIG records to confirm that DNS data was signed by the legitimate zone operator.
What is the RRSIG validity window?
Each RRSIG has an inception timestamp (when it became valid) and an expiration timestamp (when it stops being valid). Resolvers check both against the current time — an RRSIG before its inception or after its expiration is rejected, causing SERVFAIL. Most zones sign records with a 30-day validity window and re-sign every 7–10 days to maintain a safety margin.
What happens when RRSIG records expire?
When RRSIG records expire, DNSSEC-validating resolvers (including 8.8.8.8, 1.1.1.1, and most ISP resolvers) return SERVFAIL for all queries to the zone. The zone becomes unreachable. This is a critical incident. Immediate action: trigger a zone re-sign, or temporarily disable DNSSEC at the registrar if re-signing isn't possible.
How often should zones be re-signed?
Best practice is to re-sign well before signature expiry. If signatures have a 30-day validity window, re-sign every 7–10 days to maintain at least a 20-day buffer. Many DNSSEC-capable DNS providers (Route 53, Cloudflare, NS1) automate re-signing entirely. Self-managed BIND zones require a cron-based signing scheduler.
How do I verify RRSIG validity?
Use `dig A example.com +dnssec` to retrieve A records with their signatures. Check the RRSIG expiration date in the response. Use `delv @8.8.8.8 A example.com` for full DNSSEC validation that actually verifies the chain of trust end-to-end.
Record Scope
ToolRRSIG Lookup
Query TypeRRSIG
State SharingURL Param
Ops Checklist
• Verify source DNS values first
• Check authority (NS/SOA) if mismatch appears
• Compare with global propagation when needed
Free Newsletter

Get guides like this by email

DNS, email auth, and security playbooks delivered when they publish. No spam.