
TSIG, or Transaction Signature, is a security protocol used in DNS to authenticate the identity of a client or server. It's a crucial component of secure DNS communication.
TSIG relies on a shared secret key between the client and server, which is used to sign and verify DNS requests. This key is typically stored in a secure location.
The shared secret key is used to create a digital signature, which is then sent along with the DNS request. The server verifies the signature using the same shared secret key, ensuring the request is legitimate.
Readers also liked: EDNS Client Subnet
TSIG Basics
TSIG is an extension to the DNS protocol that adds a cryptographic signature to DNS packets.
This ensures that DNS packets originate from an authorized sender and haven't been tampered with.
A TSIG key consists of a key name, a signing algorithm, and a secret.
The key name is similar to a login user ID and can be any domain name format you wish.
TSIG keys can be as simple as a name like "robert" or as complex as "client.domain1.server.domain2".
The signing algorithm determines the security level of the TSIG signature.
Simple DNS Plus supports HMAC-MD5, HMAC-SHA1, HMAC-SHA256, HMAC-SHA384, and HMAC-SHA512.
HMAC-MD5 is the most widely supported algorithm but is considered outdated and less secure.
TSIG signatures are time stamped to prevent "replay attacks" and only valid within a short time window (usually +/- 5 minutes).
Both client and server must have the correct time and time zone configured to use TSIG.
A TSIG key can be generated randomly or based on a pass phrase for easier copying.
Here are the key components of a TSIG key:
- Key name: Similar to a login user ID, can be any domain name format.
- Signing algorithm: Determines the security level of the TSIG signature (e.g. HMAC-MD5, HMAC-SHA1, etc.).
- Secret: A base 64 encoded binary value, similar to a login password.
Setting Up TSIG
To set up TSIG, you need to enable GSS-TSIG and configure the GSS-ACCEPTOR-PRINCIPAL in Per zone settings: Domain Metadata. This will define the principal that's used to accept GSS context requests for names in the specified domain.
The principal defined in GSS-ACCEPTOR-PRINCIPAL must match a principal in the keytab used by the PDNS Server. No wildcards are accepted for this setting.
You'll also need to define one or more GSS-ALLOW-AXFR-PRINCIPAL entries for AXFR, or TSIG-ALLOW-DNSUPDATE entries for DNS update. These must be set to the exact initiator principal names you intend to allow for either AXFR or DNS update.
Explore further: What Is a Web Domain Names
Setting Up
To set up TSIG, you need to enable the GSS-TSIG feature and configure the GSS-ACCEPTOR-PRINCIPAL in Per zone settings: Domain Metadata. This defines the principal that accepts GSS context requests for names in the specified domain, which must match a principal in the keytab used by the PDNS Server.
The GSS-ACCEPTOR-PRINCIPAL must be set to a specific principal name, as wildcards are not accepted. You'll also need to define one or more GSS-ALLOW-AXFR-PRINCIPAL entries for AXFR, or TSIG-ALLOW-DNSUPDATE entries for DNS update, with exact initiator principal names.
These entries must match the principal names you intend to allow for either AXFR or DNS update. If a Lua update policy is defined, no TSIG-ALLOW-DNSUPDATE entries are needed, as the Lua policy defines which principals can update which records.
Take a look at this: Sender Policy Framework
Implementation
To implement TSIG, you'll need to create an update request that includes a header, the zone to be updated, the prerequisites, and the record(s) to be updated.
The update request also includes a TSIG record with a timestamp and the hash of the request, as well as the name of the secret key used to sign the request.
The name of the secret key is identified by the NAME field in the TSIG record, which can be up to 256 bytes.
The TYPE field in the TSIG record is always 250, indicating that it's a TSIG record.
The CLASS field is always 255, indicating that the record is of any class.
The TTL field is always 0, indicating that TSIG records should not be cached.
The RDLENGTH field determines the length of the RDATA field, which contains the timestamp, algorithm, and hash data.
Here's a breakdown of the TSIG record fields:
TSIG Configuration
TSIG Configuration is a crucial aspect of implementing TSIG in your DNS setup. A TSIG key is required to authenticate the client and server, which can be generated using a random string of characters.
To configure TSIG, you'll need to create a TSIG key and specify the algorithm and key size. For example, the TSIG key can be generated using the hmac-sha512 algorithm with a key size of 512 bits.
The TSIG key must then be shared between the client and server, which can be done by storing it in a secure location or by using a secure method of transfer.
HMAC added in 1.1.0
HMAC added in 1.1.0.
The HMAC implementation in TSIG uses the dns.TsigProvider interface to provide standard HMAC TSIG methods.
It holds a map of TSIG key names to base64-encoded secrets, which should be in canonical form according to dns.CanonicalName.
To verify a TSIG MAC, the HMAC algorithm indicated by t.Algorithm is used with h[t.Hdr.Name] as the key.
Any error that occurs during verification is returned.
The HMAC implementation is part of the TSIG configuration, which is used for secure communication in DNS.

It's essential to ensure that the key names are in canonical form to prevent any issues.
Here's a quick summary of the key points:
Creating a Key
Creating a TSIG key is a straightforward process that involves using a shared secret key and one-way hashing to add a cryptographic signature to DNS packets. This ensures that only authorized senders can originate DNS packets.
To create a new TSIG key, you'll need to use the oci dns tsig-key create command with the required parameters. You can also use the CreateTsigKey operation to create a new TSIG key in the specified compartment.
A TSIG key is a separate object from a DNS zone, and you can have a SECONDARY DNS zone reference a TSIG key as part of its ExternalMaster definition. However, creating a new key doesn't do anything for a PRIMARY zone.
To add a TSIG key to an existing list of TSIG keys, simply create another key with a unique TSIG key name and a new algorithm or a new key value. You can also modify fields in an existing TSIG key using the update command.
Here's a summary of the steps to create a new TSIG key:
- Use the oci dns tsig-key create command with the required parameters.
- Use the CreateTsigKey operation to create a new TSIG key in the specified compartment.
Deleting a Key
Deleting a TSIG Key can be done in two ways: using the CLI or the API.
You can use the oci dns tsig-key delete command to delete a specified TSIG key. This command requires the necessary parameters to complete the deletion process.
The DeleteTsigKey operation is another way to delete a specified TSIG key. This operation involves using the API and signing requests, which can be found in the REST APIs and Security Credentials section.
To delete a TSIG key using the CLI, you need to use the oci dns tsig-key delete [OPTIONS] command. For a complete list of CLI commands, flags, and options, see the Command Line Reference.
If you're using the API, you can use the DeleteTsigKey operation to delete the specified TSIG key.
TSIG Security
TSIG Security is a crucial aspect of TSIG authentication. It ensures the integrity and confidentiality of the authentication process.
TSIG uses a shared secret key to authenticate and encrypt DNS messages, which is a significant security feature. This shared secret key is used to create a message authentication code, or MAC, that is included with each DNS message.
The use of a shared secret key and MAC helps to prevent tampering and replay attacks, which are common security threats in DNS. This adds an extra layer of security to the TSIG authentication process.
Discover more: MIME Object Security Services
Gss Support
GSS-TSIG is an extension of TSIG that allows for secure key exchange without manual distribution of keys.
It uses the Generic Security Service (GSS) method, which eliminates the need for manual key distribution.
GSS-TSIG support is specified in RFC 3645, which proposes extending TSIG to allow GSS authentication.
This method is designed to provide a more secure alternative to traditional TSIG.
GSS-TSIG uses Kerberos for authentication, making it a more secure option.
It also uses TKEY to distribute keys automatically, which is defined in RFC 2930.
Here are some key benefits of GSS-TSIG:
- Eliminates the need for manual key distribution
- Uses Kerberos for authentication
- Automatically distributes keys using TKEY
GSS-TSIG is an important alternative to traditional TSIG, offering improved security and convenience.
It's a more modern approach to secure DNS updates and AXFR.
Signed Notification and AXFR Requests
To configure PowerDNS to send out TSIG signed AXFR requests for a zone to its primaries, set the AXFR-MASTER-TSIG metadata item for the relevant domain to the key that must be used. This key is the same one that must be provisioned as outlined in the previous section.
You can configure the use of TSIG for AXFR requests using a Generic SQL backend by setting a specific configuration. This can be done by setting the AXFR-MASTER-TSIG metadata item and provisioning the actual TSIG key.
In fact, this setup corresponds to the TSIG-ALLOW-AXFR access rule defined in the previous section. This rule allows any host with the correct TSIG key to perform the AXFR, even if the host is not within the defined allow-axfr-ips ranges.
To ease interoperability, the equivalent configuration in BIND would look like this. This configuration uses TSIG for all communications with the primary, not just those about AXFR requests.
TSIG Access
TSIG access is a powerful feature that allows you to grant specific hosts access to your zones.
To provision outbound AXFR access, you need to set a metadata item in the ‘domainmetadata’ table called TSIG-ALLOW-AXFR with the key name in the content field.
Any host with the correct TSIG key will be able to perform the AXFR, even if the host is not within the defined allow-axfr-ips ranges.
You can import and activate TSIG keys into the database using pdnsutil, which can be done with the command pdnsutil tsig-key-add.
Prior to version 5.0, you could use pdnsutil with the command pdnsutil tsig-key-import.
In BIND, this configuration would look like this: key "key-name" { algorithm "hmac-sha256"; secret "secret-string"; };
A packet authorized and authenticated by a TSIG signature will gain access to a zone even if the remote IP address is not otherwise allowed to AXFR a zone.
To configure PowerDNS to send out TSIG signed AXFR requests for a zone to its primaries, you need to set the AXFR-MASTER-TSIG metadata item for the relevant domain to the key that must be used.
The actual TSIG key must also be provisioned, as outlined in the previous section.
This setup corresponds to the TSIG-ALLOW-AXFR access rule defined in the previous section.
In the interest of interoperability, the configuration above is (not quite) similar to the following BIND statements: tsig-key "key-name" { algorithm "hmac-sha256"; secret "secret-string"; }; zone "zone-name" { type master; file "zone-file"; };
Discover more: DNS Zone
TSIG Files
TSIG Files are a type of configuration file used in TSIG, which stands for Transaction Signature. They contain a list of keys and their corresponding signatures.
TSIG Files can be used to authenticate and authorize access to DNS servers. This is done by checking the signature of the request against the key in the TSIG File.
A TSIG File typically includes the name of the key, its secret key, and the algorithm used to generate the signature. This information is used to verify the authenticity of the request.
TSIG Files can be used to implement various security features, such as authentication and authorization. By using TSIG Files, administrators can ensure that only authorized requests are processed by the DNS server.
The format of a TSIG File is specific and must be followed to ensure compatibility with the DNS server.
A fresh viewpoint: Zone File
Frequently Asked Questions
What is the difference between TSIG and dnssec?
TSIG and DNSSEC are two different security protocols for DNS, with TSIG using a shared secret key for authentication and DNSSEC using a public-private key pair for signature verification
What is gss-TSIG?
GSS-TSIG is a secure key exchange protocol that uses Kerberos to provide authentication, integrity, and confidentiality for DNS transactions. It's an extension to the TSIG protocol, enhancing security for DNS interactions.
Featured Images: pexels.com

