TSIG

Encyclopedia : T : TS : TSI : TSIG

---

TSIG (Transaction SIGnature) is a computer networking protocol. It provides a means of authenticating updates to a dynamic Domain Name System (DNS) database. TSIG uses shared secret keys and one-way hashing to provide a cryptographically secure means of identifying each endpoint of a connection as being allowed to make or respond to a DNS update.

Although queries to DNS may be made anonymously (but see DNSSEC), updates to DNS must be authenticated since they make lasting changes to the structure of the internet naming system. The use of a key shared by the client making the update and the DNS server guarantees the authenticity of the update request. However, the update request may be passing over an insecure channel (the internet). A one-way hashing function is used to prevent malicious observers from learning the secret key and using it to make their own modifications.

A timestamp is included in the TSIG protocol to prevent recorded responses from being reused, which would allow an attacker to breach the security of TSIG. This places a requirement on dynamic DNS servers to contain an accurate clock. Since DNS servers are connected to a network, Network Time Protocol may be used to provide an accurate time source.

RFC 2845 specifies only one allowed hashing function HMAC-MD5, which is no longer considered to be highly secure. In 2006, proposals are being circulated to allow RFC 3174 Secure Hash Algorithm (SHA1) hashing to replace MD5. The 160-bit digest generated by SHA1 should be more secure than the 128-bit digest generated by MD5.

In 2003, RFC 3645 proposed extending TSIG to allow the Generic Security Service (GSS) method of secure key exchange, eliminating the need for manually distributing keys to all TSIG clients. The method for distributing public keys as a DNS resource record (RR) is specified in RFC 2930, with GSS as one mode of this method. A non standard version of GSS-TSIG - Using nonstandard Kerberos server - was implemented by Microsoft Windows Active Directory servers and clients called Secure Dynamic Update. The implementation has been shown (Broido 2002) to erroneously attempt to update the root DNS servers and increase the traffic to root DNS servers in the course of doing so.

References

• Broido, Nemeth, claffy. "Spectroscopy of DNS Update Traffic", CAIDA, 2002.

External links

• RFC 2136 Dynamic Updates in the Domain Name System (DNS UPDATE)
• RFC 2845 Secret Key Transaction Authentication for DNS (TSIG)
• RFC 2930 Secret Key Establishment for DNS (TKEY RR)
• RFC 3645 Generic Security Service Algorithm for Secret Key Transaction Authentication for DNS (GSS-TSIG)
• RFC 3174 US Secure Hash Algorithm 1
• [Draft: HMAC SHA TSIG Algorithm Identifiers]

 

---

From Wikipedia, the Free Encyclopedia. Original article here. Support Wikipedia by contributing or donating.
All text is available under the terms of the GNU Free Documentation License See Wikipedia Copyrights for details.

Search Titles

0

1

2

3

4

5

6

7

8

9

A

B

C

D

E

F

G

H

I

J

K

L

M

N

O

P

Q

R

S

T

U

V

W

X

Y

Z

?