The DNS record type that holds the DNSSEC public signing key is the DNSKEY record. Each DNSSEC zone has a zone signing key (ZSK) pair, which includes a private and public ZSK. The private ZSK is used to sign the DNS records in the zone, while the public ZSK is stored in a DNSKEY record. The DNSKEY record stores the public key, and there are usually two per zone, one for the ZSK and one for the key signing key (KSK) . The KSK validates the DNSKEY record in the same way as the ZSK secures the rest of the resource record sets (RRsets) . DNS resolvers use the public key in the DNSKEY record to verify DNSSEC signatures in RRSIG records.