TKEY Record Overview and Key Features

Author

Reads 8.3K

Bitcoin Gold Cryptocurrency Trading Chart
Credit: pexels.com, Bitcoin Gold Cryptocurrency Trading Chart

A TKEY record is a type of DNS record that maps a domain name to a specific IP address.

It allows for the association of multiple IP addresses with a single domain name, providing flexibility in managing domain configurations.

TKEY records are used in conjunction with TSIG records to provide secure authentication and authorization for DNS updates.

They enable the use of public or private keys for authentication, adding an extra layer of security to DNS operations.

For another approach, see: Hostinger a Record Ip Address

Lookup and Retrieval

To lookup TKEY records, you can use the `dig` command in a terminal. On a Mac, open a terminal by pressing `[command] + [space]` and typing `terminal.app`, then enter. Type `dig example.com tkey` and hit enter to get the TKEY records for example.com.

The TKEY records are listed below the ANSWER SECTION heading. You can also use the TKEY lookup tool to check the TKEY records of a domain. Simply enter the domain name and hit enter, and the tool will query the TKEY records and show them at the top of the page.

The TKEY resource record (RR) has a specific structure, as shown in Table 1 below:

Lookup Records on Linux

Exterior of a building featuring a prominent BTC and exchange sign, indicating a cryptocurrency location.
Credit: pexels.com, Exterior of a building featuring a prominent BTC and exchange sign, indicating a cryptocurrency location.

You can lookup records on Linux using the `dig` command.

To check the TKEY records for a certain domain name, open a terminal by entering [Super] → 'terminal' → [enter].

Type `dig example.com tkey` and hit [enter] to get the TKEY records for example.com.

The TKEY records are listed below the ANSWER SECTION heading.

To get the TKEY records, you'll need to enter a specific command in the terminal.

Here's a quick rundown of the steps:

  1. Open a terminal.
  2. Type `dig example.com tkey` and hit [enter].
  3. The TKEY records are listed below the ANSWER SECTION heading.

Find Records

To find TKEY records, you can use a terminal on your computer.

On a Mac, you can open a terminal by pressing [command] + [space] and then typing 'terminal.app' and hitting [enter].

To check TKEY records on Linux, you can open a terminal by pressing the [Super] key and then typing 'terminal' and hitting [enter].

To check TKEY records using the dig command, type dig example.com tkey and hit [enter] to get the TKEY records for example.com. The TKEY records are listed below the ANSWER SECTION heading.

Readers also liked: Dig Ptr Record

Resolver Keying

Credit: youtube.com, 00178 Retrieve Code Based on 2 Criteria

Resolver keying is a critical component of secure DNS transactions. It involves the exchange of cryptographic keys between a resolver and a server.

A resolver key name should be a domain name locally unique at the resolver, less than 128 octets long in wire encoding, and meaningful to the resolver to assist in distinguishing keys and/or key agreement sessions.

Resolver assigned keying (Mode 4) is an optional feature that allows a server to accept a resolver-assigned key. The keying material must be encrypted under a server key for protection in transmission.

The resolver sends a TKEY query with a Resolver Assignment Mode TKEY RR that specifies the encrypted keying material and a KEY RR specifying the server public key used to encrypt the data, both in the additional information section.

A globally unique key name should be used in resolver assigned keying. The query must be authenticated to prevent an attacker from forging a resolver assigned TKEY query and specifying a shared secret key that would be accepted and used by the server.

Credit: youtube.com, PowerQueries: Lookup

Here are some key points to keep in mind when implementing resolver keying:

  • A resolver key name should be locally unique at the resolver and less than 128 octets long in wire encoding.
  • A globally unique key name should be used in resolver assigned keying.
  • The query must be authenticated to prevent an attacker from forging a resolver assigned TKEY query.

If the error field of the response TKEY is zero, the server has accepted the keying data in the query TKEY.

General Information

TKEY records are not stored or cached, and they don't appear in zone master files.

TKEY records support various modes for establishing and deleting shared secret keying information between DNS resolvers and servers.

The shared secret keying material agreed upon using TKEY is an opaque octet sequence.

TKEY RRs are sent in the additional information section of DNS queries for type TKEY, and the corresponding returned TKEY appears in the answer section of responses to such queries.

Type TKEY queries should not be flagged as recursive, and servers must ignore the recursion desired header bit in TKEY queries they receive.

TKEY messages, including queries and responses, must be authenticated for all modes except GSS-API mode, which provides its own security.

In TKEY messages that contain secret keying material in the Key Data field, that material must be encrypted.

Keys established via TKEY can be treated as soft state and need not be preserved over crashes or reboots.

Record Structure

Credit: youtube.com, How to Use Branded Strings as an Index to a Record Type in TypeScript

The TKEY resource record has a unique structure that sets it apart from other DNS records. Its RR type code is 249.

The TKEY RR has a specific format, with fields that provide information about the key being established. The NAME field is a domain name, while the TTYPE field must be 249, indicating that it's a TKEY RR. The CLASS field must be 255 (ANY), and the TTL field must be zero to prevent caching.

Here's a breakdown of the TKEY RR structure:

The TKEY RR's RDATA field is where the key information is stored, with fields such as Algorithm, Inception, Expiration, Mode, Error, Key Size, Key Data, Other Size, and Other Data.

A different take: Charging Data Record

The Resource Record

The Resource Record is a crucial component of DNS, and TKEY is a specific type of resource record that plays a key role in automatic key management.

A TKEY resource record has a structure that consists of several fields, including NAME, TTYPE, CLASS, TTL, RDLEN, Algorithm, Inception, Expiration, Mode, Error, Key Size, Key Data, Other Size, and Other Data.

Worth a look: Dns Resource Records

Minimalist workspace featuring a laptop, notepads, and a mouse in Budapest.
Credit: pexels.com, Minimalist workspace featuring a laptop, notepads, and a mouse in Budapest.

The TTYPE field is a u_int16_t that MUST be 249, indicating that it's a TKEY resource record. The CLASS field MUST be 255, which is the ANY class.

The TTL field is not used in TKEY RRs and MUST be zero to prevent caching issues. Receipt of a TKEY RR with a non-zero TTL field in a query results in a FormErr error response.

Here's a breakdown of the TKEY Resource Record structure:

Size and Fields

The TKEY resource record has a specific structure, with a maximum of one TKEY RR per DNS message. This record is a meta-RR with a type code of 249.

The TKEY RR has several fields, including NAME, TTYPE, CLASS, TTL, RDLEN, Algorithm, Inception, Expiration, Mode, Error, Key Size, Key Data, Other Size, and Other Data. The Key Size field is an unsigned 16-bit integer in network octet order, specifying the size of the Key Data field in octets.

Credit: youtube.com, CINDEX Specifics 1 - Specifying Record Structure

The Key Data field depends on the mode and context, and its contents are implementation-dependent. The Algorithm field specifies the key use algorithm, and the Inception and Expiration fields indicate the keying information inception and expiration times, respectively.

Here is a breakdown of the TKEY RR fields:

Last Used

The "Last Used" field is a timestamp that indicates when a key was last used. It's stored in the same encoding as the inception and expiration TKEY fields.

This field can be used to determine which keys are the least recently used, and potentially discarded if needed. This can help keep your DNS records organized and up-to-date.

The timestamp is signed from the most recent DNS message TSIG received and validated or sent using the same key. This ensures that the information is accurate and trustworthy.

Modes and Strategies

Servers and resolvers supporting the TKEY specification must implement the ECDH mode, Key Deletion mode, and TKEY Ping mode. These modes are mandatory for servers and resolvers that support TKEY.

Two jazz musicians performing with keyboard and drums in a studio with blue lighting.
Credit: pexels.com, Two jazz musicians performing with keyboard and drums in a studio with blue lighting.

A server supporting TKEY that receives a TKEY request with a mode it doesn't support returns the BADMODE error. This is a way to handle unsupported modes in a TKEY request.

IANA has created a "TKEY Modes" Registry to keep track of defined TKEY modes. The registry includes values for different modes, such as Server Assignment, Diffie-Hellman exchange, and Key Deletion.

Here is a list of the required and optional TKEY modes, based on the registry:

Lookup on Mac OS

To check the TKEY records for a certain domain name on a Mac, you need to open a terminal. You can do this by pressing [command] + [space] → 'terminal.app' → [enter].

In the terminal, type dig example.com tkey and hit [enter] to get the TKEY records for example.com.

The TKEY records are listed below the ANSWER SECTION heading.

To make it easier to find the TKEY records, you can look for the ANSWER SECTION heading in the terminal output.

A fresh viewpoint: Dns Records Example

Resolver Name Strategy

Woman's hands typing on a wireless laptop at a modern office desk, highlighting technology in business.
Credit: pexels.com, Woman's hands typing on a wireless laptop at a modern office desk, highlighting technology in business.

For a TKEY RR with a non-root Name appearing in a query, the TKEY Name field SHOULD be a domain name locally unique at the resolver.

A resolver name should be less than 128 octets long in wire encoding to ensure it fits within the DNS protocol wire encoding name length limit of 255 octets.

This length limit is crucial to avoid truncation issues when a resolver-provided name portion is concatenated with a server-provided name portion.

5 Modes

In the realm of TKEY modes, there are several key strategies to keep in mind.

Servers must implement the ECDH mode, Key Deletion mode, and TKEY Ping mode.

TKEY Ping mode is a test of basic TKEY plumbing, used to check the synchronization of resolver and server clocks, and to determine if TKEY is implemented at a server without changing the key storage state.

The server responds with a Ping Mode TKEY RR in the answer section of its response, copied from the query, except that it sets the Expiration field to the value of the server's clock.

Detailed macro shot of a camera mode dial, showcasing settings in black and white.
Credit: pexels.com, Detailed macro shot of a camera mode dial, showcasing settings in black and white.

A server MAY include a deletion mode TKEY RR spontaneously in the additional information portion of any DNS query response, but this SHOULD NOT be done unless the server has reason to believe that the resolver supports TKEY.

The TKEY modes specified in the subsections below do not provide for agreement on a key but provide other functions.

Modes 0x0001 (Server Assignment), 0x0004 (Resolver Assignment), and 0x0008 (TKEY Ping) are MUST implement modes.

Here are the MUST implement modes:

The use of Diffie-Hellman Exchanged Keying mode is NOT RECOMMENDED due to reasons outlined in Appendix A, and use of ECDH Exchanged Keying is RECOMMENDED as an alternative.

A unique perspective: Dns Records Pihole Use Port

5.1 Agreement Modes

In TKEY modes, servers and resolvers must implement the ECDH mode, Key Deletion mode, and TKEY Ping mode. These modes are specified in this document.

A resolver and a server can agree on shared secret keying material for use in TSIG through DNS requests. Such queries must have a TKEY RR in the additional information section and the response must have a TKEY RR in the answer section.

Positive female recording podcast on mic while working in light studio against white brick wall
Credit: pexels.com, Positive female recording podcast on mic while working in light studio against white brick wall

The inception and expiration time in TKEY RRs with a mode intended to result in key agreement refer to a secret key validity interval, except in the case of GSS-API mode. For all other key agreement modes, the inception and expiration times in the query TKEY RR are those requested for the keying material.

If the expiration time in the resolver query is in the past or if it is before the inception time, a BADTIME error must be returned. If the inception time in the resolver query is in the future, indicating an attempt to agree on a future key, a BADTIME error may be returned by the server.

Here are the key agreement modes:

Note that the Diffie-Hellman exchange mode is deprecated and should not be used unless needed for compatibility with old TKEY implementations.

5.1.4. Gss-Api Establishment

GSS-API Establishment is a mode of TKEY query and response that allows the resolver and server to exchange GSS-API tokens. This mode is described in "Generic Security Algorithm for Secret Key Transaction Authentication for DNS (GSS-TSIG)" [RFC3645], which should be consulted for the full description.

Crop cheerful young ethnic female vlogger touching screen on cellphone while preparing for video record in town
Credit: pexels.com, Crop cheerful young ethnic female vlogger touching screen on cellphone while preparing for video record in town

The resolver and server can exchange queries and responses for type TKEY with a TKEY RR specifying the GSS-API mode in the additional information section and a GSS-API token in the key data portion of the TKEY RR.

Any issues of possible encryption of parts the GSS-API token data being transmitted are handled by the GSS-API level. In addition, the GSS-API level provides its own authentication so that this mode of TKEY query and response MAY be, but does not need to be, authenticated with a TSIG RR or SIG(0) RR.

The inception and expiration times in a GSS-API mode TKEY RR are ignored.

Documentation Mode

Documentation Mode is a TKEY Mode assigned for use in examples or documentation. It's designated as Mode 7 and is not intended for any other use.

A server will respond with a BADMODE error message if it receives a TKEY RR indicating this mode. This error message is a clear indication that the server does not recognize Mode 7.

Mode 7 is specifically assigned for documentation purposes, and it's not something you'll ever see used in real-world applications.

Wrapping Algorithm Registry

A collection of vintage floppy disks showcasing retro data storage technology.
Credit: pexels.com, A collection of vintage floppy disks showcasing retro data storage technology.

The TKEY Key Wrapping Algorithm Registry is a crucial part of secure key establishment between DNS clients and servers. It's used to support TSIG, which is a protocol for secure key exchange.

Triple-DES is one of the key wrapping algorithms listed in the registry, with a value of 0x01 and a reference to RFC3217. AES-pad is another algorithm, with a value of 0x02 and a reference to RFC5649.

The registry also includes some reserved and unassigned values, which are marked as 0x00, 0xFF, and 0x04-0xFE. These values are not currently in use.

Here's a quick rundown of the key wrapping algorithms listed in the registry:

Copy Shared Secret to Both Machines

When setting up shared secret keys between hosts, it's essential to ensure they have the same key name. An arbitrary key name is chosen, like "host1-host2.", and must be the same on both machines.

This key name is crucial for identifying the shared secret. The key name must be identical on both hosts for the shared secret to work correctly.

Warm, inviting interior featuring a vintage record player, vinyl records, and cozy seating.
Credit: pexels.com, Warm, inviting interior featuring a vintage record player, vinyl records, and cozy seating.

To copy the shared secret to both machines, you can refer to the section on "Dynamic Update Policies". This is where you'll find more information on the update-policy statement, which can help you manage the shared secret more efficiently.

After setting up the shared secret, you can use it to authenticate TKEY queries and responses with TSIG. This is a secure way to authenticate exchanges, like setting up a new key before rolling over to the new key.

Security and Authentication

Security and Authentication is a top priority when it comes to TKEY records. All TKEY queries and responses MUST be authenticated, or a server will return a NotAuth error.

A shared secret key between the resolver and server is a common method of authentication, using TSIG to authenticate TKEY messages. This secret key can be used to authenticate a TKEY exchange that sets up a new key before rolling over to that new key.

Credit: youtube.com, Tillitis TKey: A new kind of security device - Michael MC Cardell Widerkrantz, Tillitis AB

To prevent replay attacks, the keying material used in TSIG or SIG(0) RR must not have a lifetime of more than 2**31 - 1 seconds, or about 68 years. This ensures that an attacker cannot replay a TKEY message by waiting for the key to expire.

Secret keys and private keys are very sensitive information and should be protected at all costs. All practical steps should be taken to protect them on every host where they are stored, and hosts should be physically protected to prevent unauthorized access.

Secret KeK Encryption

Secret KeK Encryption is a powerful method for protecting sensitive data in the DNS protocol. It uses a shared secret key as a Key Encrypting Key (KEK) to encrypt the Key Data field in a TKEY resource record.

A TSIG secret key is used as a KEK candidate if the TKEY RR is authenticated by a TSIG. This provides an additional layer of security for the Key Data field. The use of a shared secret key as a KEK ensures that only authorized parties can access the encrypted data.

The KEK is used to protect the Key Data field, which contains sensitive information. This is especially important when using resolver assigned keys, as an attacker could forge a resolver assigned TKEY query if the query is not authenticated.

Private Records

Credit: youtube.com, Most PRIVATE 2FA apps

Private records play a crucial role in the signing process, signaling its state with a default type value of 65534.

These records will have a nonzero value for the final octet after signing is complete, especially for those that initially had a nonzero octet.

The private type record format consists of five octets: algorithm, key id in network order, removal flag, complete flag, and more.

Only records flagged as "complete" can be removed via dynamic update, while attempts to remove other private type records will be silently ignored.

A zero first octet in a private record indicates changes to the NSEC3 chains are in progress, containing an NSEC3PARAM record and a flag field that tells what operation to perform.

The flag field in this case includes OPTOUT, CREATE, REMOVE, and NONSEC, each with its own specific operation to perform based on the flag bits.

Registry and Management

The TKEY record relies on a set of registries to manage its parameters. IANA is responsible for maintaining these registries.

Credit: youtube.com, Setting Up KTL Record History in ⏱️10 Minutes

The TKEY Modes Registry is one of the key registries, which includes a list of TKEY modes. Table 4 outlines the initial contents of this registry, with values ranging from 0x0000 to 0xFFFF. The Description column provides a brief explanation of each mode, while the Implementation and Reference columns specify the requirements and documentation for each mode.

Here's a breakdown of the TKEY Modes Registry:

Registry Group

IANA is responsible for maintaining a registry group for DNS TSIG and TKEY parameters. This registry group includes the TSIG algorithm names registry and two new registries created for TKEY modes and key wrapping algorithms.

The TSIG algorithm names registry is initially empty, but will be populated with new values as needed. The TKEY modes registry, on the other hand, has an initial set of values defined, ranging from 0x0000 to 0xFFFF.

Here are the initial contents of the TKEY modes registry:

The TKEY key wrapping algorithm registry also has an initial set of values defined, including Triple-DES and AES-pad.

8.3.1 Modes Registry

Young woman in office working on a tablet. Modern technology at a stylish workspace.
Credit: pexels.com, Young woman in office working on a tablet. Modern technology at a stylish workspace.

The TKEY Modes Registry is a crucial part of managing TKEY modes. It's a table that lists all the possible modes, their descriptions, and the implementation status.

The registry has 16 initial contents, starting from 0x0000 to 0xFFFF. The first row is reserved, while the rest are assigned to different TKEY modes.

Here's a breakdown of the modes:

Servers and resolvers supporting this specification MUST implement the ECDH mode, Key Deletion mode, and TKEY Ping. All other modes are OPTIONAL.

Security Considerations

Secret keys agreed to using TKEY and private keys corresponding to public keys are very sensitive information that needs to be protected on every host where they're stored.

This means taking all practical steps to safeguard them, such as physically protecting the hosts and ensuring that unprivileged processes don't have access to keying material.

If you're running a DNS resolver on a shared machine, you'll need to exercise great care to prevent users from seeing your configuration data.

Resolvers that run unprivileged can expose your configuration to all users of the host.

To prevent denial of service via TKEY, DNS servers and resolvers should implement rate limiting to control the number of requests they receive.

Glen Hackett

Writer

Glen Hackett is a skilled writer with a passion for crafting informative and engaging content. With a keen eye for detail and a knack for breaking down complex topics, Glen has established himself as a trusted voice in the tech industry. His writing expertise spans a range of subjects, including Azure Certifications, where he has developed a comprehensive understanding of the platform and its various applications.

Love What You Read? Stay Updated!

Join our community for insights, tips, and more.