In DNSSEC the keys come in pairs — a private key (held only by the signer of the zone, which is usually the DNS operator who may be the registrar if you are providing DNS services to your customers) and a public key (distributed to the public through the DNS). The private part of the key pair is used to sign the zone. Validating resolvers use the public part of the key pair to validate the digital signature created when the zone is signed.