Configuring TSIG keys

Configuring TSIG keys

 

 

 TSIG (Transaction Signature) 

 

TSIG is a security protocol used in the Domain Name System (DNS) to provide authenticated and secure communications between DNS servers and between DNS servers and clients. TSIG uses shared secret keys and cryptographic signatures to validate that the DNS messages are authentic and have not been tampered with. It's primarily used for

  1. Securing Zone Transfers: Ensuring that AXFR zone transfers occur only between authorized servers.

  1. Securing Dynamic Updates: Authenticating requests to update DNS records dynamically, especially in Dynamic DNS (DDNS) environments.

  1. Authenticating DNS Queries and Responses: Verifying the authenticity of both the query and the response in DNS transactions.

TSIG adds an additional layer of security to DNS operations that is not provided by standard DNS, which by itself has no mechanism for authenticating the source or integrity of DNS data.

 TSIG Key Templates in ManageEngine DDI 

 

The Key Templates are saved under the TSIG Key Templates tab on the Config page with the following fields as shown below:

 Key Name 

 

The Key Name is mainly used to identify the key across the primary and secondary name servers. Ensure a unique name is assigned to the key.

 

 Algorithm 

 

 

TSIG Algorithm serves essentially as a cryptographic hash function that executes HMAC operations to generate the TSIG key value. Currently, CloudDNS supports the following algorithms HMAC MD5, HMAC SHA1, HMAC SHA224, HMAC SHA256, HMAC SHA384, and HMAC SHA512 to generate the TSIG key.

 

 Secret Key 

 

The secret key value is an encoded base64 string with a maximum value of 255 characters that acts as a shared signature to provide transaction-level authentication for the name servers during zone transfer operations.

 

 

                  New to ADSelfService Plus?

                    • Related Articles

                    • Configuring ACL (Access Control List)

                      An ACL in the context of network administration is a set of rules that control network traffic and limit access to networks and network resources based on predefined criteria. In DNS servers like ISC BIND, ACLs are used to define which clients (based ...
                    • Configuring DHCP failover

                      Note: ManageEngine DDI does not offer DHCP failover for IPv6 address space. Failover is only available for IPv4 address space. To configure the DHCP failover configurations: Go to DHCP ->Config-> DHCP Failover Click on the Add DHCP Failover button on ...
                    • DNSSEC

                      DNSSEC, short for Domain Name System Security Extensions, is a suite of specifications for securing certain kinds of information provided by the Domain Name System (DNS). It is designed to protect against a range of DNS attacks such as cache ...
                    • Creating Authoritative Zones

                      You can create a new domain using the Add Domain button or import domains in bulk using the Import button in the top right corner. Add Domain On clicking the Add Domain button, the Create Domain page appears as shown below: In the Create Domain page ...
                    • DNS64

                      What is DNS64? DNS64 is a mechanism used in IPv6 networks to facilitate communication between IPv6-only clients and IPv4-only servers. This is especially important in the context of the ongoing transition from IPv4 to IPv6. Since these are two ...