✅ RRSIG Record Checker

What you'll see

• Covered record type, signer name, and key tag for every signature returned.
• Inception and expiration timestamps so you can catch stale or future-dated signatures.
• Base64-encoded signature data for advanced troubleshooting with validation tools.

Common use cases

• Investigate SERVFAIL errors caused by expired signatures.
• Confirm that dynamic updates triggered a resign of the affected RRsets.
• Document signing behaviour during DNSSEC rollovers or automation pipelines.

Troubleshooting tips

• Expiration times must be in the future—regenerate signatures before this window closes.
• Match the key tag to DNSKEY entries to confirm the correct key pair signed the record.
• If signatures appear missing, ensure the authoritative server is configured to sign the requested type.

FAQ

Why do I see signatures with inception times in the future?

Clock skew between signing servers can produce signatures that are not yet valid. Sync NTP across your infrastructure and resign if the difference is large.

What does an RRSIG covering an NSEC or NSEC3 record mean?

Those signatures protect denial-of-existence responses. They should be present when your zone uses authenticated denial with NSEC or NSEC3 chains.

How long should RRSIG validity windows be?

Most operators sign for 1–2 weeks. Longer periods reduce signing load but increase exposure if a key is compromised. Balance the window with your key rollover cadence.