RRSIG Record
An RRSIG (Resource Record Signature) record (RFC 4034) contains the cryptographic signature over a set of [[dns|DNS]] records, enabling [[dnssec|DNSSEC]] validation. For every record type in a signed zone (A, MX, AAAA, etc.), a corresponding RRSIG is generated using the zone's private key. Validating [[dns-resolver|resolvers]] verify the RRSIG against the zone's [[dnskey-record|DNSKEY]] to confirm the records were not tampered with in transit. RRSIG records have an expiration date and must be periodically refreshed.
Example
An RRSIG on the A record for example.com proves the IP address was signed by the zone owner's private key; tampering with the IP would invalidate the signature and cause resolution failure.