The primary name server for a zone creates the RRSIG records for each set of records in the zone, as well as the NSEC records for each name. Software known as a “zone signer” signs the data for each zone.
The signer reads in all zone data, and organizes the data. All names are arranged in order and NSEC records are built for each name. All records are grouped into sets and RRSIG records are generated for each set. This information is placed in a file that is subsequently used by the zone primary name server to provide the authoritative information for the zone.