Namecheap > Domain List > Your domain > Advanced DNS
Press enter or click to view image in full size
Expected Result : RRSIG, DNSKEY and DS Records
When you query for the domain you will further see RRSIG record at the resolver and DS record on the top-level-domain
Press enter or click to view image in full size
Also you can query the public key for verification as DNSKEY
Press enter or click to view image in full size
How it work — Multiple Public-Private Key Signer
Each DNS record TYPE (e.g., A) and NAME (e.g., foo.example.com) is called RRSET (Resource Record Set)
RRSET → 2 keys signed → RRSIG
This is normal Public-Private key signing mechanism with 2 keys combined
ZSK — Zone signing key Initial key pair by server, send public DNSKEY to client.
KSK — Key signing key 2.1. Initial key pair by server 2.2. Send the public key to signed at TLD (top-level-domain e.g., .com,, .org) 2.3. TLD store public part of double signed key as DS record 2.4. Server send back public DNSKEY to client
Now you got 2 keys to verify the validity of DNS record.
