RFC - 2845

Secret Key Transaction Authentication for DNS (TSIG)

Original:	ftp://ftp.isi.edu/in-notes/rfc2845.txt
Authors:	P. Vixie [ISC], O. Gudmundsson [NAI Labs], D. Eastlake 3rd [Motorola], B. Wellington [Nominum]
Date:	May 2000
Category:	Proposed Standard

---

Updates:
RFC-1035std13 [STD 13]	Domain names - implementation and specification (Updated by RFC-1876exp, RFC-1348, RFC-4033prop, RFC-4035prop, RFC-4034prop, RFC-2308prop, RFC-2065, RFC-2845prop, RFC-2181prop, RFC-1995prop, RFC-1996prop, RFC-2535, RFC-4343prop, RFC-3658, RFC-1982prop, RFC-2136prop, RFC-3425prop, RFC-1101, RFC-1183exp, RFC-2137)

Updated by:
RFC-3645prop	Generic Security Service Algorithm for Secret Key Transaction Authentication for DNS (GSS-TSIG)

Referred by:	30 RFC
Refers to:	10 RFC

---

Status

This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.

Copyright Notice

Copyright (C) The Internet Society (2000). All Rights Reserved.

Abstract

This protocol allows for transaction level authentication using shared secrets and one way hashing. It can be used to authenticate dynamic updates as coming from an approved client, or to authenticate responses as coming from an approved recursive name server.

No provision has been made here for distributing the shared secrets; it is expected that a network administrator will statically configure name servers and clients using some out of band mechanism such as sneaker-net until a secure automated mechanism for key distribution is available.

---