Menu
Home
People
Places
Arts
History
Plants & Animals
Science
Life & Culture
Technology
Reference.org
TSIG
open-in-new
<h2 id="implementation">Implementation</h2> <p>An update, as specified in RFC 2136, is a set of instructions to a DNS server. These include a header, the zone to be updated, the prerequisites that must be satisfied, and the record(s) to be updated. TSIG adds a final record, which includes a timestamp and the hash of the request. It also includes the name of the secret key that was used to sign the request. RFC 2535 has recommendations on the form of the name. </p><p>The response to a successful TSIG update will also be signed with a TSIG record. Failures are not signed to prevent an attacker from learning anything about the TSIG key using specially crafted update "probes". </p><p>The <a href="/facts/Nsupdate/ob5nb5Iy">nsupdate</a> program can use TSIG to do DNS updates. </p><p>The TSIG record is in the same format as the other records in the update request. The meaning of the fields is described in RFC 1035. </p> TSIG record fields<table><tbody><tr><th>Field</th><th>Bytes</th><th>Value</th><th>Description</th></tr><tr><td>NAME</td><td>Max. 256</td><td>Varies</td><td>Key name; identifies key on both client and server</td></tr><tr><td>TYPE</td><td>2</td><td>TSIG (250)</td><td></td></tr><tr><td>CLASS</td><td>2</td><td>ANY (255)</td><td></td></tr><tr><td><a href="/facts/Time_to_live/CMFdghQh">TTL</a></td><td>4</td><td>0</td><td>TSIG records must not be cached</td></tr><tr><td>RDLENGTH</td><td>2</td><td>Varies</td><td>Length of RDATA field</td></tr><tr><td>RDATA</td><td><i>RDLENGTH</i></td><td>Varies</td><td>Structure containing the timestamp, algorithm and hash data</td></tr></tbody></table> <h2 id="alternatives-to-tsig">Alternatives to TSIG</h2> <p>Although TSIG is widely deployed, there are several problems with the protocol: </p> <ul><li>It requires distributing secret keys to each host which must make updates.</li> <li>Although still in common usage, the HMAC-MD5 digest is no longer considered very secure. HMAC-SHA256 is preferred. </li></ul> <p>As a result, a number of alternatives and extensions have been proposed. </p> <ul><li>RFC 2137 specifies an update method using a <a href="/facts/Public_key/gowoFTxS">public key</a> "SIG" DNS record. A client holding the corresponding private key can sign the update request. This method matches the <a href="/facts/DNSSEC/cL9zwhjj">DNSSEC</a> method for secure queries. However, this method is deprecated by RFC 3007.</li> <li>In 2003, RFC 3645 proposed extending TSIG to allow the Generic Security Service (GSS) method of secure key exchange, eliminating the need for manually distributing keys to all TSIG clients. The method for distributing public keys as a DNS resource record (RR) is specified in RFC 2930, with GSS as one mode of this method. A <a href="/facts/Generic_Security_Service_Algorithm_for_Secret_Key_Transaction/VEshbYle">modified GSS-TSIG</a> - using the Windows <a href="/facts/Kerberos_(protocol)/RMXs3P1w">Kerberos</a> Server - was implemented by <a href="/facts/Microsoft_Windows/bwhAhuSL">Microsoft Windows</a> <a href="/facts/Active_Directory/VWd9HhjU">Active Directory</a> servers and clients called Secure Dynamic Update. In combination with poorly configured DNS (with no reverse lookup zone) using RFC 1918 addressing, reverse DNS updates using this authentication scheme are forwarded en masse to the root DNS servers and thus increase the traffic to root DNS servers. There is an <a href="/facts/Anycast/d6lUjbno">anycast</a> group which deals with this traffic to take it away from the root DNS servers.<a class="footnote-ref" id="fnref:1" href="#fn:1"><sup>1</sup></a><a class="footnote-ref" id="fnref:2" href="#fn:2"><sup>2</sup></a></li> <li>RFC 2845 defines TSIG, specifies only one allowed hashing function, the 128-bit <a href="/facts/HMAC/Qy9WD4V9">HMAC-MD5</a>, which is no longer considered to be highly secure. RFC 4635 was circulated to allow RFC 3174 Secure Hash Algorithm (SHA1) hashing and <a href="/facts/Federal_Information_Processing_Standards/n0Ll7hpQ">FIPS</a> PUB 180-2 <a href="/facts/SHA-2/P59oPeGq">SHA-2</a> hashing to replace MD5. The 160-bit and 256-bit digests generated by SHA1 and SHA-2 are more secure than the 128-bit digest generated by <a href="/facts/MD5/8WIXb9Dq">MD5</a>.</li> <li>RFC 2930 defines <a href="/facts/TKEY/f3ksvxAM">TKEY</a>, a <a href="/facts/List_of_DNS_record_types/CgzuvJXy">DNS record</a> used to distribute keys automatically from a DNS server to DNS clients.</li> <li>RFC 3645 defines GSS-TSIG, which uses gss-api and TKEY to distribute keys automatically in gss-api mode.</li> <li>The <a href="/facts/DNSCurve/Y0TAbU7J">DNSCurve</a> proposal has many similarities to TSIG.</li></ul> <h2 id="see-also">See also</h2> <ul><li><a href="/facts/List_of_DNS_record_types/CgzuvJXy">List of DNS record types</a></li></ul> <h2 id="external-links">External links</h2> <ul><li><a href="/facts/RFC_(identifier)/esftTvE7">RFC</a> <a href="https://www.rfc-editor.org/rfc/rfc2136">2136</a> Dynamic Updates in the Domain Name System (DNS UPDATE)</li> <li><a href="/facts/RFC_(identifier)/esftTvE7">RFC</a> <a href="https://www.rfc-editor.org/rfc/rfc2845">2845</a> Secret Key Transaction Authentication for DNS (TSIG)</li> <li><a href="/facts/RFC_(identifier)/esftTvE7">RFC</a> <a href="https://www.rfc-editor.org/rfc/rfc2930">2930</a> Secret Key Establishment for DNS (TKEY RR)</li> <li><a href="/facts/RFC_(identifier)/esftTvE7">RFC</a> <a href="https://www.rfc-editor.org/rfc/rfc3007">3007</a> Secure Domain Name System (DNS) Dynamic Update</li> <li><a href="/facts/RFC_(identifier)/esftTvE7">RFC</a> <a href="https://www.rfc-editor.org/rfc/rfc3645">3645</a> Generic Security Service Algorithm for Secret Key Transaction Authentication for DNS (GSS-TSIG)</li> <li><a href="/facts/RFC_(identifier)/esftTvE7">RFC</a> <a href="https://www.rfc-editor.org/rfc/rfc3174">3174</a> US Secure Hash Algorithm 1</li> <li><a href="/facts/RFC_(identifier)/esftTvE7">RFC</a> <a href="https://www.rfc-editor.org/rfc/rfc4635">4635</a> HMAC SHA TSIG Algorithm Identifiers</li> <li><a href="/facts/RFC_(identifier)/esftTvE7">RFC</a> <a href="https://www.rfc-editor.org/rfc/rfc8945">8945</a> Secret Key Transaction Authentication for DNS (TSIG)</li></ul> <h2 id="references">References</h2> <ol> <li id="fn:1"><p>Abley, J.; Sotomayor, W. (May 2015). "RFC 7534 — AS112 Nameserver Operations". doi:10.17487/RFC7534. Retrieved 2017-12-29. {{cite journal}}: Cite journal requires |journal= (help) <a href="https://tools.ietf.org/html/rfc7534" target="_blank">https://tools.ietf.org/html/rfc7534</a> <a href="#fnref:1" class="footnote-back-ref">↩</a></p></li> <li id="fn:2"><p>"AS112 Project Overview", retrieved 2017-12-29. <a href="https://www.as112.net" target="_blank">https://www.as112.net</a> <a href="#fnref:2" class="footnote-back-ref">↩</a></p></li> </ol>