A goal of TSIG is it to guarantee authenticity of DNS partners and to ensure the data integrity with transactions. A DNS participant is to be able to verify with the fact that the partner, with which it is communicated also actually that, to which he gives to be and that received DNS messages on the route of transportation were not falsified. TSIG is used mainly with server server communication and less with Client server communication (exception: Dynamic updates).

A coding of DNS data is not intended in the context of TSIG. Since DNS information is put in principle to the public at the disposal, a coding would mean no considerable safety gain.

Overview

With TSIG two or more possess DNS servers, which communicate with one another, the same key (symmetrical key, divided secret), which is configured manually. Between TSIG servers if data are exchanged (e.g. with the zone transfer or with recursive inquiries), then by each transferred DNS package of the MD5-Hash and attached in a special TSIG resource record is formed. The receiver accomplishes the same MD5-Operation with his key and compares the two signatures. If they are identical, then the data come from the desired partner and were not falsified.

TSIG resource record

With the TSIG-RR it concerns a Meta RR in such a way specified, which is produced dynamically before mailing a DNS Message and rejected after receipt and evaluation. It emerges neither in zone files nor in DNS Caches.

A TSIG resource record consists of the following fields:

• Name (name of the key)
• Type (always TSIG)
• Class (always ANY)
• TTL (always 0)
• Length
• Data (digital signature and further data)

On the basis the name can be differentiated between different keys. It is possible to agree upon between two partners several keys. That makes particularly when changes sense, since one can use thereby a time long the old and the new key parallel.

Evaluation

TSIG is clearly simpler to handle than DNSSEC and offers itself in environments with only few servers. If too many servers are involved, the administration expenditure rises strongly. Here Public have key procedure like e.g. DNSSEC of advantages, since the key distribution is very many simpler.

Reference

• RFC 2845 (Secret key Transaction Authentication for DNS)

Articles in category "TSIG"

We found here 5 articles.

Related Websites

We found here 4 related websites.

• DNSSEC and TSIG 10 December 2001
  Signatures or TSIG. TSIG protects the integrity of all communications between ... Use of TSIG in performing this task is a fairly simple addition to ...


• RFC 2845
  RFC 2845 - Secret Key Transaction Authentication for DNS (TSIG) ... 2 - TSIG RR Format 2.1 TSIG RR Type To provide secret key authentication, ...


• TSiG - Tokyo Style in Gothenburg
  We are bringing Tokyo to Gothenburg. The theme is urbanism & underground and through collaborations, exhibitions, performances, screenings, workshops, ...


• TSIG Consulting, Inc.
  Provides technical facilities management programs, applications and services to evaluate, support...