The aim of TSIG (Transaction SIGnature) is to ensure the authenticity of DNS partners and to guarantee the data integrity of transactions. A DNS participant should thus be able to verify that the partner with whom it is communicating is actually who it claims to be and that received DNS messages were not falsified on the transport route. TSIG is mainly used for server-server communication and less so for client-server communication (exception: dynamic updates).
Encryption of DNS data is not provided for within the scope of TSIG. Since DNS information is generally made available to the public, encryption would not mean any gain in security.
With TSIG, two or more DNS servers that communicate with each other have the same key (symmetric key, shared secret ), which is configured manually. If data is exchanged between TSIG servers (e.g. during zone transfer or recursive queries), the MD5 hash is formed from each transmitted DNS packet and appended to a special TSIG resource record . The recipient performs the same MD5 operation with his key and compares the two signatures. If they are identical, the data comes from the desired partner and has not been falsified.
TSIG Resource Record
The TSIG-RR is a so-called Meta-RR that is generated dynamically before a DNS message is sent and is discarded after it has been received and evaluated. It does not appear in zone files or in DNS caches.
A TSIG resource record consists of the following fields:
- Name (name of the key)
- Type (always TSIG )
- Class (always ANY )
- TTL (always 0)
- Data (digital signature and other information)
The name can be used to distinguish between different keys. This makes it possible to agree on several keys between two partners. This is particularly useful when making changes, as it allows you to use the old and the new key in parallel for a while.
TSIG is much easier to use than DNSSEC and is ideal in environments with only a few servers. If too many servers are involved, the administration effort increases significantly. Public-key processes such as DNSSEC have advantages here, as key distribution is much easier.
- RFC 2845 (Secret Key Transaction Authentication for DNS)