TSIG

The aim of TSIG ( Transaction Signature) is to ensure authenticity of DNS partners and to ensure data integrity in transactions. A DNS participants should be able to verify the fact that the partner with whom he also communicates the fact is, he that received DNS messages have been pretending to be and not corrupted in transit. TSIG is used mainly in server -server communication and less on the client -server communication ( Exception: Dynamic updates).

An encryption of DNS data is not provided as part of TSIG. Since DNS information is always made ​​available to the public, encryption would mean no appreciable gain in security.

Overview

TSIG in having two or more DNS servers that communicate with each other, the same key ( symmetric key, shared secret ), which is manually configured. If between TSIG servers data exchanged ( for example, when zone transfers and recursive queries in ), it is formed from each transmitted DNS packet, the MD5 hash and attached in a special TSIG resource record. The receiver performs with his key by the same MD5 operation and compares the two signatures. If they are identical, so the data are from the desired partners and has not been corrupted.

TSIG resource record

The TSIG RR is a so-called meta- RR, which is dynamically generated before sending a DNS message and discarded after reception and analysis. He appears neither in zone files still in DNS caches.

A TSIG resource record consists of the following fields:

  • Name ( name of the key )
  • (Always TSIG )
  • Class (always ANY)
  • TTL ( always 0)
  • Length
  • Data (digital signature and other information )

Distinction can be made between different keys by name. It is possible to agree on several key between two partners. This makes sense especially when changes because you can thus use a long time the old and the new key in parallel.

Assessment

TSIG is much easier to handle than DNSSEC and offers in environments with only a few servers to. Are too many servers involved, the administration overhead increases significantly. Here, public-key techniques, such as DNSSEC benefits as the key distribution is much easier.

Reference

  • RFC 2845 (Secret Key Transaction Authentication for DNS)
  • Domain Name System
Secret-Sharing Domain Name System Security Extensions
785640
de