TSIG Management Services - Help System

Managing TSIG between a Master and Slave Nameserver

This System provides TSIG (Transaction Signatures) Management support. TSIG is a mechanism to help guarantee that what you publish from a primary/master nameserver is what the secondary/slave publishes. TSIG uses a symmetric algorithm (the same key on both sides) therefore only works when there is a trust relationship between the communicating parties.

It is mandatory in the TSIG protocol to support HMAC-MD5. However there is a feeling that it should be replaced with a stronger algorithm such as HMAC-SHA224 or better. The current algorithms that can be used are 160 bit HMAC-SHA1, 224 bit HMAC-SHA224, HMAC-SHA256 (preferred), HMAC-SHA384 or HMAC-SHA512. These newer algorithms are stronger than HMAC-MD5 but may not be present in all versions of DNS software.
The following examples assume the use of the HMAC-SHA256 algorithm.

How to create

  • Select the Primary and your Secondary Nameserver and set the Algorithm to HMAC-SHA256 (or other)
  • In the Keypair field - add a key. The name is arbitrary but should be a legal domain name. It is suggested that a name identifies the trust pair of nameservers ie - if the Primary Nameserver is ns0.registry.com and your secondary nameserver is called ns1.mydom.com - call it something like registry-ns1.mydom.com. Adding some "valid until" info is not a bad idea either - eg registry-ns1.mydom.com.feb.2013
  • You can leave the Secret field blank - and on clicking on the [submit] or [add now] box, the System will generate a secret key, or you can generate your own key and paste it in key yourself
  • to create your own key, run the tool dnssec-keygen with the complete command:
    dnssec-keygen -a HMAC-SHA256 -b 256 -n HOST registry-ns1.mydom.comDEPRECIATED
    tsig-keygen -a HMAC-SHA256 registry-ns1.mydom.com - this will generate the information to go into your named.conf file.

How to use

In your Nameserver Configuration file /etc/named.conf (or /etc/bind/named.conf), change your options so you can only transfer using a key (explicitly don't allow Transfers from the IP addresses of the Primary/Master) and add the keys and servers after the options section. This will force transfers to use Signed Transfers only. Your "allow-transfer" should obviously still include any previously existing "allows", their order is importaint - as in firewall rules.
options {
    directory "/etc/bind";             // Where I keep my DNS stuff.

    allow-transfer {
	key registry-ns1.mydom.com;    // Explicitly allow TSIG XFers
	!;                 // ..and deny non TSIG from my master
	!2001:42a0::81;                // ..from ALL the addresses they have

key registry-ns1.mydom.com {           // Key for this relationship
    algorithm hmac-sha256;
    secret "YourSecretGeneratedKey=";  // tsig-keygen generated key

server {                  // My Master has multiple IP addresses
    keys { registry-ns1.mydom.com; };

server 2001:42a0::81 {                 // ..so specify all of them
    keys { registry-ns1.mydom.com; };
Of course - use your own secret and key names.
The Nameserver in the above example has both IPv4 and IPv6 addresses and either may request a transfer - so there needs to be a trused relationship from all of the addresses - hence all IP's need to be mentioned. If you don't use IPv6 - you may leave that address out.

Before installing TSIG - please make sure you have your computer time Synced with a timeserver using SNTP, NTP (or similar), computers that are adrift by more than 5 minutes will not work. TSIG always uses GMT (or ZULU) time - and takes different zimezones into consideration.

The admin system will show you the Server time (which is GMT+2) as well as your time. If your time is more than 5 seconds different - you will be informed. If this is the case - it really is a good idea to check that your time is syncoronised and that the syncronisation is working correctly. Take into account that you may be on a different Time Zone.

After 12 months, the key will show with a red background and this system will send out weekly e-mail warnings. Its probably a good idea to update your keys on a regular basis (yearly).