The syntax of a SIG resource record (signature) is described in Section 4. It includes the type of the RR(s) being signed, the name of the signer, the time at which the signature was created, the time it expires (when it is no longer to be believed), its original time to live (which may be longer than its current time to live but cannot be shorter), the cryptographic algorithm in use, and the actual signature.
Every name in a secured zone will have associated with it at least one SIG resource record for each resource type under that name except for glue RRs and delgation point NS RRs. A security aware server supporting the performance enhanced version of the DNS protocol security extensions will attempt to return, with RRs retrieved, the corresponding SIGs. If a server does not support the protocol, the resolver must retrieve all the SIG records for a name and select the one or ones that sign the resource record(s) that resolver is interested in.