Manualshelf

DNS Configuration and Management Manual (G06.27+, H06.05+, J06.03+)

ManualsBrandsHP ManualsServerHP Integrity NonStop H-Series
51525354555657585960
DNS Configuration on the NonStop Server
HP DNS Configuration and Management Manual529432-003
3-16
Use TSIG
Use TSIG
TSIG provides secure server-to-server communication securing DNS messages by
providing authentication and data integrity. TSIG secures server-to-server
communication for zone transfer, notify, and recursive query messages.
TSIG uses shared secrets and a one-way hash function to authenticate DNS
messages, particularly responses and updates.TSIG is also used to authenticate
control messages between
rndc and named.
When you configure TSIG, a name server adds a TSIG record to the additional data
section of a DNS message. The message can be verified by the receiver using the
TSIG record if the message’s sender had a cryptographic key shared with the receiver
and if the message was not modified after it left the sender.
TSIG uses a one-way hash function to provide authentication and data integrity. A one-
way hash function, or cryptographic checksum, computes a fixed-size hash value
based on an arbitrarily large input. For a DNS message, the computation is done on
the message itself (excluding the TSIG record). Each hash value bit depends on each
bit of the input. A minor change to an input value changes the hash value drastically,
so that the function cannot be reversed to recalculate the input that generated the
output. The computed hash value is included in the TSIG record by the sender. The
receiver of the message carries out the same computation as the sender (using the
shared key) and compares the result with the hash value in the TSIG record. If the
values are the same, the message is authenticated.
Figure 3-8. Updates Secured Through TSIG
Note. TSIG is used for the authentication of messages, not for encryption. Since the DNS
message is not encrypted, it could be read in transit, but the TSIG record, along with the
shared key held by sender and recipient, ensures that the message is transmitted intact.
vst027.vsd
DHCP
server
DNS
server
15.10.40.76 is nt4652
TSIG Record
additional data
The name server adds a TSIG record to the
additional data section of a DNS message.
DNS update message