A key pair contains two digital keys – a private key (held by the signer of the zone, which is usually the DNS Operator) and a public key (distributed to the public through the DNS). The zone is signed by using the private/public key pair. End users’ validators (or the validators at their ISPs) use the public part of the key pair to validate the digital signature created when the zone is signed.