A response message from a security aware server may optionally contain a special SIG as the last item in the additional information section to authenticate the transaction.
This SIG has a "type covered" field of zero, which is not a valid RR type. It is calculated by using a "data" (see Section 4.1.2) of the entire preceding DNS reply message, including DNS header but not the IP header, concatenated with the entire DNS query message that produced this response, including the query's DNS header but not its IP header. That is
data = full response (less final transaction SIG) | full query
Verification of the transaction SIG (which is signed by the server host key, not the zone key) by the requesting resolver shows that the query and response were not tampered with in transit, that the response corresponds to the intended query, and that the response comes from the queried server.
A DNS request may be optionally signed by including one or more SIGs at the end of the query. Such SIGs are identified by having a "type covered" field of zero. They sign the preceding DNS request message including DNS header but not including the IP header or at the begining or any preceding request SIGs at the end. Such request SIGs are included in the "data" used to form any optional response transaction SIG.
WARNING: Request SIGs are unnecessary for currently defined queries and will cause almost all existing DNS servers to completely ignore a query. However, such SIGs may be needed to authenticate future DNS secure dynamic update or other requests.