RRSIG Lookup
Lookup RRSIG records and inspect DNSSEC signature lifetimes and signer data. Run fast checks, interpret results, and use related tools for validation.
Use RRSIG Lookup in 4 Steps
What is RRSIG Lookup?
RRSIG records are cryptographic signatures over RRsets (groups of DNS records of the same type) that prove zone data integrity for DNSSEC-enabled zones. Each RRset in a signed zone has a corresponding RRSIG record created by the zone's ZSK.
RRSIG records have a validity window defined by inception and expiration timestamps. Resolvers reject RRSIGs outside their validity window, causing SERVFAIL. Zones must be continuously re-signed before signatures expire — most DNSSEC-capable DNS providers automate this, but self-managed zones require a signing scheduler.
Quick Interpretation Table
Use this reference to diagnose common outcomes when running RRSIG Lookup.
| Observed Result | Likely Cause | Next Step |
|---|---|---|
| RRSIG missing for an RRset in a signed zone | Unsigned RRset — signer didn't include this record type | Trigger a full zone re-sign and verify signer health |
| RRSIG expiration timestamp in the past | Signature expired — resolvers reject it | Regenerate and republish signatures immediately to restore resolution |
| "Covers" type doesn't match queried RRset | Invalid signature mapping | Check signer configuration for the target RRset type |
CLI Examples
Run these commands directly from a terminal to verify RRSIG records without relying on a browser-based tool.
dig A example.com +dnssecdig RRSIG example.comdig +sigchase +trusted-key=/etc/trusted-key.key A example.comdelv @8.8.8.8 A example.comTroubleshooting Workflow
- Run this record check first for a scoped signal on the target hostname.
- Validate nameserver authority and SOA context if results are unexpected.
- Use propagation checks when different regions return different values.
- Re-run after applying fixes and compare values against your expected configuration.
Frequently Asked Questions
Get guides like this by email
DNS, email auth, and security playbooks delivered when they publish. No spam.