In 2017, security problems in two nameservers strictly following [RFC2845] and [RFC4635] (i.e., TSIG and HMAC-SHA extension) specifications were discovered. The implementations were fixed but, to avoid similar problems in the future, the two documents were updated and merged, producing these revised specifications for TSIG.
The second area where the secret key based MACs specified in this document can be used is to authenticate DNS update requests as well as transaction responses, providing a lightweight alternative to the protocol described by [RFC3007].
Use of TSIG presumes prior agreement between the resolver and server involved as to the algorithm and key to be used.
TSIG Options for On-Prem DNS Firewall
On-Prem Firewall supports the following TSIG key options described in the table located on the Sizing Guidelines for DDI Appliances page. A TSIG key format can be modified to best suit the needs of the organization. When a TSIG key modification occurs, the new key will need to be entered into NIOS.
This page has no comments.