Skip to content. | Skip to navigation

Navigation

You are here: Home / Support / Guides / Tools / DNS / TSIGs

Personal tools

DNS

Domain Name Service trickery

TSIGs

Transaction Signatures

Transaction Signatures

TSIGs are a simple public key authentication mechanism to restrict access to certain functionality. It is particularly useful when authenticating remote servers across the public internet. TSIG use isn't just for Dynamic DNS updates as we are looking at here but also for such diverse things are secure notifies and management of split horizon updates, particularly when you only have a single interface.

Generation

Generating keys is easy:

dnssec-keygen -a HMAC-MD5 -b 512 -n USER ${NAME}

This generates two files called K${NAME}.+*.key and K${NAME}.+*.private. The private file is for the updater and the key file is used by the authenticator.

The -n flag takes a number of different options, notably ZONE and HOST though it's not clear what different it makes.

The contents of the key files look something like:

${NAME}. IN KEY 0 3 157 xxx yyy

where xxx and yyy are the magic strings we will use later.

Document Actions