RRSIG records are one of the resource records in DNSSEC. These records store digital signatures of resource record sets (RRsets). Digital signatures are used to authenticate data that is in the signed RRsets.
A signed zone has multiple RRsets, one for each record type and owner name. (The owner is the domain name of the RRset.) When an authoritative name server uses the private key of the ZSK pair to sign each RRset in a zone, the digital signature on each RRset is stored in an RRSIG record. Therefore, a signed zone contains an RRSIG record for each RRset.
RRSIG resource records are defined in RFC 4034.
RRSIG records are automatically generated upon the signing of an authoritative zone.
The name part of a DNS RRSIG object reference has the following components:
- The name of the record.
- The name of the view.
Example: record:rrsig/ZG5zLmJpsaG9zdA:us.example.com/default.external
References to record:rrsig are object references.
The object does not support the following operations:
The object cannot be managed on Cloud Platform members.
These fields are actual members of the object; thus, they can be requested by using _return_fields, if the fields are readable.
The basic version of the object contains the field(s): name, view.
The cryptographic algorithm that was used to create the signature. It uses the same algorithm types as the DNSKEY record indicated in the key tag field.
Type
String.
Search
The field is available for search via
Notes
The algorithm cannot be updated.
algorithm cannot be written.
Structure containing all cloud API related information for this object.
Type
A/An Cloud Information struct.
Search
The field is not available for search.
Notes
The cloud_info cannot be updated.
cloud_info cannot be written.
The creation time of the record.
Type
Timestamp.
Search
The field is not available for search.
Notes
The creation_time cannot be updated.
creation_time cannot be written.
The record creator.
Type
String.
Search
The field is available for search via
Notes
The creator cannot be updated.
creator cannot be written.
Name for an RRSIG record in punycode format.
Type
String.
Values with leading or trailing white space are not valid for this field.
Search
The field is not available for search.
Notes
The dns_name cannot be updated.
dns_name cannot be written.
The domain name, in punycode format, of the zone that contains the signed RRset.
Type
String.
Search
The field is not available for search.
Notes
The dns_signer_name cannot be updated.
dns_signer_name cannot be written.
The expiry time of an RRSIG record in Epoch seconds format.
Type
Timestamp.
Search
The field is not available for search.
Notes
The expiration_time cannot be updated.
expiration_time cannot be written.
The inception time of an RRSIG record in Epoch seconds format.
Type
Timestamp.
Search
The field is not available for search.
Notes
The inception_time cannot be updated.
inception_time cannot be written.
The key tag value of the DNSKEY RR that validates the signature.
Type
Unsigned integer.
Search
The field is available for search via
Notes
The key_tag cannot be updated.
key_tag cannot be written.
The number of labels in the name of the RRset signed with the RRSIG object.
Type
Unsigned integer.
Search
The field is available for search via
Notes
The labels cannot be updated.
labels cannot be written.
The time of the last DNS query in Epoch seconds format.
Type
Timestamp.
Search
The field is not available for search.
Notes
The last_queried cannot be updated.
last_queried cannot be written.
The name of the RRSIG record in FQDN format.
Type
String.
Search
The field is available for search via
Notes
The name is part of the base object.
The name cannot be updated.
name cannot be written.
The TTL value of the RRset covered by the RRSIG record.
Type
Unsigned integer.
Search
The field is available for search via
Notes
The original_ttl cannot be updated.
original_ttl cannot be written.
The Base64 encoded cryptographic signature that covers the RRSIG RDATA of the RRSIG Record object.
Type
String.
Search
The field is not available for search.
Notes
The signature cannot be updated.
signature cannot be written.
The domain name of the zone in FQDN format that contains the signed RRset.
Type
String.
Search
The field is available for search via
Notes
The signer_name cannot be updated.
signer_name cannot be written.
The Time To Live (TTL) value for the record. A 32-bit unsigned integer that represents the duration, in seconds, for which the record is valid (cached). Zero indicates that the record should not be cached.
Type
Unsigned integer.
Search
The field is not available for search.
Notes
ttl is associated with the field use_ttl (see use flag).
The ttl cannot be updated.
ttl cannot be written.
The RR type covered by the RRSIG record.
Type
String.
Values with leading or trailing white space are not valid for this field.
Search
The field is available for search via
Notes
The type_covered cannot be updated.
type_covered cannot be written.
Use flag for: ttl
Type
Bool.
Search
The field is not available for search.
Notes
The use_ttl cannot be updated.
use_ttl cannot be written.
The name of the DNS View in which the record resides. Example: “external”.
Type
String.
Values with leading or trailing white space are not valid for this field.
Search
The field is available for search via
Notes
The view is part of the base object.
The view cannot be updated.
view cannot be written.
The name of the zone in which the record resides. Example: “zone.com”. If a view is not specified when searching by zone, the default view is used.
Type
String.
Values with leading or trailing white space are not valid for this field.
Search
The field is available for search via
Notes
The zone cannot be updated.
zone cannot be written.
| Field | Type | Req | R/O | Base | Search |
|---|---|---|---|---|---|
| algorithm | String | N | Y | N | = |
| cloud_info | struct | N | Y | N | N/A |
| creation_time | Timestamp | N | Y | N | N/A |
| creator | String | N | Y | N | = |
| dns_name | String | N | Y | N | N/A |
| dns_signer_name | String | N | Y | N | N/A |
| expiration_time | Timestamp | N | Y | N | N/A |
| inception_time | Timestamp | N | Y | N | N/A |
| key_tag | Unsigned int | N | Y | N | < = > |
| labels | Unsigned int | N | Y | N | < = > |
| last_queried | Timestamp | N | Y | N | N/A |
| name | String | N | Y | Y | : = ~ |
| original_ttl | Unsigned int | N | Y | N | < = > |
| signature | String | N | Y | N | N/A |
| signer_name | String | N | Y | N | : = ~ |
| ttl | Unsigned int | N | Y | N | N/A |
| type_covered | String | N | Y | N | : = ~ |
| use_ttl | Bool | N | Y | N | N/A |
| view | String | N | Y | Y | = |
| zone | String | N | Y | N | = |
