TSIG (Transaction SIGnature)
TSIG (Transaction SIGnature) is a computer networking protocol defined in RFC 2845. It is used primarily by the Domain Name System (DNS) to provide a means of authenticating updates to a DNS database. It is most commonly used to update Dynamic DNS or a secondary/slave DNS server. TSIG uses shared secret keys and one-way hashing to provide a cryptographically secure means of authenticating each endpoint of a connection as being allowed to make or respond to a DNS update.
Although queries to DNS may be made anonymously (see DNSSEC), updates to DNS must be authenticated since they make lasting changes to the structure of the Internet naming system. As the update request may be made over an insecure channel (the Internet), one must take measures to ensure the authenticity and integrity of the request. The use of a key shared by the client making the update and the DNS server helps to ensure the authenticity and integrity of the update request. A one-way hashing function is used to prevent malicious observers from modifying the update and forwarding on to the destination, thus ensuring integrity of the message from source to destination.
A timestamp is included in the TSIG protocol to prevent recorded responses from being reused, which would allow an attacker to breach the security of TSIG. This places a requirement on dynamic DNS servers and TSIG clients to contain an accurate clock. Since DNS servers are connected to a network, Network Time Protocol may be used to provide an accurate time source.
DNS updates, like queries, normally are transported via UDP since it requires lower overhead than TCP. However, DNS servers support both UDP and TCP requests.
Replies have been locked on this page!