An RRSIG-record holds a DNSSEC signature for a record set (one or more DNS records with the same name and type).
Resolvers can verify the signature with a public key stored in a DNSKEY-record.
RRSIG-records have the following data elements:
Type Covered: DNS record type that this signature covers.
Algorithm: Cryptographic algorithm used to create the signature.
Labels: Number of labels in the original RRSIG-record name (used to validate wildcards).
Original TTL: TTL value of the covered record set.
Signature Expiration: When the signature expires.
Signature Inception: When the signature was created.
Key Tag: A short numeric value which can help quickly identify the DNSKEY-record which can be used to validate this signature.
Signer's Name: Name of the DNSKEY-record which can be used to validate this signature.
Signature: Cryptographic signature.
To add RRSIG-records to a zone, use the DNSSEC Sign Zone function.
This record type is defined in RFC4034.