TSIG
Click on the red underlined text to get to the source
... Transaction Authentication for DNS (TSIG) [RFC2845]
protocol was developed to provide a lightweight authentication and
integrity ...
... authentication and
integrity of messages between two DNS entities, such as client and
server or server and server. TSIG can be used to protect dynamic
update messages, authenticate regular message or to off-load
...
... integrity of the answers.
The TSIG protocol [RFC2845] is extensible through the definition of
new algorithms ...
... signatures are exchanged by the Client and Server as a part
of the TSIG records exchanged in DNS messages sent between the
Client and Server ...
...
Modification to RFC 2845prop allows use of TSIG through signing server's
response in an explicitly specified place in multi message exchange ...
... context handle. The key_name is
the owner name of the TKEY and TSIG records sent between a client and
a server to indicate to each other which context ...
... clients and servers that support GSS-TSIG it is REQUIRED that
security mechanism used by client ...
... TKEY record is a general
mechanism for establishing secret keys for use with TSIG. For more
information, see [RFC2930].
...
... interoperability of the implementations of the GSS-TSIG
mechanism client MUST specify a valid ...
... algorithm and MUST NOT use the GSS-
TSIG algorithm to establish this security context. This document
...
... TKEY record in the answer section
of the query. The response MUST be signed with a TSIG record. Note
that the server is allowed to sign a response to unsigned client's
...
... 2845prop specified in Section 2.2
above. The signature in the TSIG record MUST be verified using the
procedure detailed in section 5, Sending and Verifying Signed
Messages. If the response is not signed, OR ...
... major_status is GSS_S_COMPLETE,then the signature in the TSIG record
MUST be verified using the procedure detailed in section 5, Sending
and Verifying Signed Messages ...
... The error field in the TKEY record is set to NOERROR. The message
MUST be signed with a TSIG record as described in section 5, Sending
and Verifying Signed Messages. Note that server is allowed to sign a
...
... TKEY record received from the client MUST be returned in the Answer
section of the response. The message MUST be signed with a TSIG
record as described in section 5, Sending and Verifying Signed
Messages. Note that server is allowed to sign a response to unsigned
...
... signature routine
includes the whole DNS message with specific TSIG variables appended.
For the exact format, see [RFC2845]. For this protocol, use the
...
... For the exact format, see [RFC2845]. For this protocol, use the
following TSIG variable values:
TSIG ...
... Algorithm Name = gss-tsig
Assign the remaining fields in the TSIG RDATA appropriate values as
described in [RFC2845 ...
... context_handle = context_handle for key_name
OCTET STRING message = outgoing message plus TSIG
variables (per [RFC2845])
...
... does not map to an established context, the server MUST send a
standard TSIG error response to the client indicating BADKEY in the
...
... error response to the client indicating BADKEY in the
TSIG error field (as described in [RFC2845]).
...
... context_handle = context_handle for key_name
OCTET STRING message = incoming message plus TSIG
variables (per [RFC2845])
...
... RFC2845], the timer values of the
TSIG record MUST also be valid before considering the message to be
authentic. The caller ...
... When a server is processing a client request, the server MUST send a
standard TSIG error response to the client indicating BADKEY in the
...
... error response to the client indicating BADKEY in the
TSIG error field as described in [RFC2845], if major_status is set to
one of the following values
...
...
If the timer values of the TSIG record are invalid, the message MUST
NOT be considered authentic. If this error checking fails when a
server is processing a client request ...
... TKEY query. In addition, this server places a
TSIG record in additional records section of its response. Server
calls GSS_GetMIC to generate a signature ...
... calls GSS_GetMIC to generate a signature to include it in the TSIG
record. The server specifies the following GSS_GetMIC INPUT
...
... context_handle)
entry in the server's mapping table
OCTET STRING message = outgoing message plus TSIG
variables (as described in [RFC2845])
...
... 789.client.example.com.server.example.com. key_name
OCTET STRING message = incoming message plus TSIG
variables (as described in [RFC2845])
...