"DNSSIG is a simple and efficient way for authenticating responses sent by an upstream DNS resolver to a client. [...] This is not a replacement for DNSSEC. The purpose is to sign the “last mile”. For unsigned zones, this is better than nothing."
►http://dnssig.org
I wonder why they do not use the standard way, SIG(0) (RFC 2931)