In addition to a zone-signing key, DNSSEC name servers also have a key-signing key (KSK). The KSK validates the DNSKEY record in exactly the same way as our Zone Signing Keys secured the rest of our RRsets in the previous section: It signs the public ZSK (which is stored in a DNSKEY record), creating an RRSIG for the DNSKEY.
Just like the public Zone Signing Keys, the name server publishes the public KSK in another DNSKEY record, which gives us the DNSKEY RRSets shown above. Both the public KSK and public ZSK are signed by the private KSK.