DNS security authenticates data in the DNS by also storing digital signatures in the DNS as SIG resource records (RRs). A SIG RR provides a digital signature on the set of all RRs with the same owner name and class as the SIG and whose type is the type covered by the SIG. The SIG RR cryptographically binds the covered RR set to the signer, time signed, signature expiration date, etc. There are one or more keys associated with every secure zone and all data in the secure zone is signed either by a zone key or by a dynamic update key tracing its authority to a zone key.
DNS security also defines transaction SIGs and request SIGs. Transaction SIGs appear at the end of a response. Transaction SIGs authenticate the response and bind it to the corresponding request with the key of the host where the responding DNS server is. Request SIGs appear at the end of a request and authenticate the request with the key of the submitting entity.
Request SIGs are the primary means of authenticating update requests.
DNS security also permits the storage of public keys in the DNS via KEY RRs. These KEY RRs are also, of course, authenticated by SIG RRs. KEY RRs for zones are stored in their superzone and subzone servers, if any, so that the secure DNS tree of zones can be traversed by a security aware resolver.