Page tree


GSS-TSIG (Generic Security Service Algorithm for Secret Key Transaction) is used to authenticate DDNS updates. It is a variant of the TSIG authentication which uses the Kerberos v5 authentication system.

GSS-TSIG consists of a set of client-server negotiations to establish a security context. It makes use of a Kerberos server (for example, when it is running on the AD domain controller) that functions as the Kerberos KDC (Key Distribution Center) and provides session tickets and temporary session keys to users and computers within an Active Directory (AD) domain. Together, the client and server create and verify transaction signatures on messages they exchange. Microsoft Server versions 2012 R2, 2016, and 2019 support DDNS updates that use GSS-TSIG. You can configure the on-premise host to accept GSS-TSIG–signed DDNS updates from one or more clients that belong to different AD domains in which each domain has a unique Kerberos key that corresponds to a DNS service principal.

The following is a high-level diagram of the GSS-TSIG process:

To view the list of GSS-TSIG entries:

  • If you are a user,  click Manage > Keys > GSS-TSIG. If there are multiple entries, click the particular entry to view its details. If there are no entries, you can create one by following the instructions in Creating GSS-TSIG.
  • If you are an administrator, you can create, edit, or delete a GSS-TSIG entry. If you are a user, you can only view a GSS-TSIG entry. For more information, see Role-based Access Control.

After enabling GSS-TSIG, you can view the transactions in service logs. For more information, see Viewing Service Logs.

You can also do the following in the GSS-TSIG tab:

  • Reorder the columns, or select the columns to be displayed: Click .
  • Modify a GSS-TSIG entry: Click  Edit, or select the checkbox for a specific record and click the Edit button.

  • Delete the GSS-TSIG entry: Click  > Deleteor select the respective AnyCast address and click the Delete button. A GSS-TSIG entry can be deleted only if it is not used in the GSS-TSIG DNS configuration in the Global DNS Properties, in the DNS Config profile, or at the level of the DNS server.

  • GSS-TSIG entry's information, such as principal, algorithm, version, domain (realm), comment, and tags are shown in the information pane by default. Comment and tags can be modified. If you do not want to view the details in the panel on the right, click .

  • Search for records in BloxOne DDI according to a specific keyword: Type the keyword in the Search text box. 

  • Filter the objects by Principal, Domain, Version, Algorithm, Comments, or Tags:  Click 

You can perform the following actions:

  • No labels

This page has no comments.