Help & Troubleshooting
RRSIG Record
What this is
RRSIG records are the actual DNSSEC signatures — one for each record set in a signed zone. Each has an inception and expiration time and must be re-generated (re-signed) periodically.
How to read your result
Signatures should have expiration dates comfortably in the future. Anything expiring within days deserves attention: healthy automation renews signatures well ahead of expiry.
Common problems and how to fix them
Signatures expired
How it shows up: The domain hard-fails on validating resolvers while non-validating resolvers still work — mirroring a DS mismatch, but caused by time rather than keys.
How to fix it: Re-sign the zone immediately (with managed DNS this means contacting the provider — expired RRSIGs are their bug). Then find out why the re-signing automation stopped: it should never get within days of expiry.
Server clock skew makes valid signatures look invalid
How it shows up: Sporadic validation failures reported by some resolvers even though signatures look current.
How to fix it: Ensure the signing infrastructure and authoritative servers run NTP-synchronized clocks; inception times slightly in the future break validation for strict resolvers.