What is tsig

All Pages. The name should reflect the names of the hosts and uniquely identify the key among a set of keys these two hosts may share at any given time. Algorithm: Select the public key's algorithm used to encrypt or decrypt data. Applicable algorithms include hmac-md5, hmac-sha1, hmac-sha, hmac-sha, hmac-h, and hmac-sha Secret: The base64 string encoding the binary shared secret that corresponds to the key.

The client SHOULD treat this the same way as they would any other interrupted transfer although the exact behavior is not specified. This response MUST be unsigned as specified in [4. The data signed is specified in [4. Otherwise, the response is treated as having a format error and discarded. The client MAY retry the request using the key specified by the server.

This is an indication that the client and server clocks are not synchronized. Secret keys are very sensitive information and all available steps should be taken to protect them on every host on which they are stored.

Generally such hosts need to be physically protected. If they are multi-user machines, great care should be taken that unprivileged users have no access to keying material. Resolvers often run unprivileged, which means all users of a host would be able to see whatever configuration data is used by the resolver. A name server usually runs privileged, which means its configuration data need not be visible to all users of the host. For this reason, a host that implements transaction-based authentication should probably be configured with a "stub resolver" and a local caching and forwarding name server.

This presents a special problem for [ RFC ] which otherwise depends on clients to communicate only with a zone's authoritative name servers. Use of strong random shared secrets is essential to the security of TSIG. See [ RFC ] for a discussion of this issue. The secret should be at least as long as the keyed message digest, i. The approach specified here is computationally much less expensive than the signatures specified in [ RFC ].

As long as the shared secret key is not compromised, strong authentication is provided for the last hop from a local name server to the user resolver. Secret keys should be changed periodically. If the client host has been compromised, the server should suspend the use of all secrets known to that client. If possible, secrets should be stored in encrypted form. Secrets should never be transmitted in the clear over any network. This document does not address the issue on how to distribute secrets.

Secrets should never be shared by more than two entities. A Windows Server domain controller allows you to generate a keytab file with only one key for a principal. This is useful when the KDC has principals with multiple encryption types. Ensure that you store and transport its contents securely. Infoblox strongly recommends the following encryption types for compatibility purposes:. To export the keytab file using a Microsoft Windows Resource Kit:. COM -mapuser ns1 corpxyz.

Note that this parameter is case sensitive. If you omit the account name, mapping is deleted from the specified principal. You can use ksetup without any parameters or arguments to see the current mapped settings and the default realm. The Ktpass command changes the account password to the specified value, thus incrementing the version number of the user account and the resulting keytab file.

You can use the following encryption types:. After you execute the command to generate the keytab file, the AD domain controller displays a series of messages similar to the following to confirm that it successfully generated the keytab file: Targeting domain controller: ibtest-xu5nxd You can also use the following:. However, you can enable DES on the Windows server. Include this option if you did not enable DES encryption for the account.

When you use this encryption type, you must change the user's password. Otherwise, the ticket issued for the principal becomes unusable. After you execute the command to generate the keytab file, the AD domain controller displays a series of messages similar to the following to confirm that it successfully generated the keytab file: Targeting domain controller: qacert. You can specify the following encryption types:. You can use ksetup without any parameters or arguments to see the current settings and the default realm.

The zone must be in the same AD domain as the member that is sending the updates. You can add information for a forward and reverse zone. It is therefore critical that both client and server have the correct time. This is best achieved using automatic periodic time synchronization against an Internet time server - which is enabled by default on newer Windows versions, but may require special configuration or software on older Windows versions and other operating systems.

Simple DNS Plus. Help content Click here. Share this document: Facebook Twitter E-mail.