TSIG


TSIG is a computer-networking protocol defined
in RFC 2845. Primarily it enables the Domain Name System to authenticate updates to a DNS database. It is most commonly used to update Dynamic DNS or a secondary/slave DNS server. TSIG uses shared secret keys and one-way hashing to provide a cryptographically secure means of authenticating each endpoint of a connection as being allowed to make or respond to a DNS update.
Although queries to DNS may usually be made without authentication, updates to DNS must be authenticated, since they make lasting changes to the structure of the Internet naming system. As the update request may arrive via an insecure channel, one must take measures to ensure the authenticity and integrity of the request. The use of a key shared by the client making the update and the DNS server helps to ensure the authenticity and integrity of the update request. A one-way hashing function serves to prevent malicious observers from modifying the update and forwarding on to the destination, thus ensuring integrity of the message from source to destination.
A timestamp is included in the TSIG protocol to prevent recorded responses from being reused, which would allow an attacker to breach the security of TSIG. This places a requirement on dynamic DNS servers and TSIG clients to contain an accurate clock. Since DNS servers are connected to a network, the Network Time Protocol can provide an accurate time source.
DNS updates, like queries, are normally transported via UDP since it requires lower overhead than TCP. However, DNS servers support both UDP and TCP requests.

Implementation

An update, as specified in RFC 2136, is a set of instructions to a DNS server. These include a header, the zone to be updated, the prerequisites that must be satisfied, and the record to be updated. TSIG adds a final record, which includes a timestamp and the hash of the request. It also includes the name of the secret key that was used to sign the request. RFC 2535 has recommendations on the form of the name.
The response to a successful TSIG update will also be signed with a TSIG record. Failures are not signed to prevent an attacker from learning anything about the TSIG key using specially crafted update "probes".
The nsupdate program can use TSIG to do DNS updates.
The TSIG record is in the same format as the other records in the update request. The meaning of the fields is described in RFC 1035.
FieldBytesValueDescription
NAMEMax. 256Key name; identifies key on both client and server
TYPE2TSIG
CLASS2ANY
TTL40TSIG records must not be cached
RDLENGTH2Length of RDATA field
RDATAVariableStructure containing the timestamp, algorithm and hash data

Alternatives to TSIG

Although TSIG is widely deployed, there are several problems with the protocol:
As a result, a number of alternatives and extensions have been proposed.