DNS
TSIGs
Transaction Signatures
TSIGs are a simple public key authentication mechanism to restrict access to certain functionality. It is particularly useful when authenticating remote servers across the public internet. TSIG use isn't just for Dynamic DNS updates as we are looking at here but also for such diverse things are secure notifies and management of split horizon updates, particularly when you only have a single interface.
Generation
Generating keys is easy:
dnssec-keygen -a HMAC-MD5 -b 512 -n USER ${NAME}
This generates two files called K${NAME}.+*.key and K${NAME}.+*.private. The private file is for the updater and the key file is used by the authenticator.
The -n flag takes a number of different options, notably ZONE and HOST though it's not clear what different it makes.
The contents of the key files look something like:
${NAME}. IN KEY 0 3 157 xxx yyy
where xxx and yyy are the magic strings we will use later.
Document Actions