Rotating TSIG keys associated with a view - BlueCat Integrity - 26.1.0

Integrity uses server-pair TSIG keys to authenticate remote server-to-server zone transfer traffic, previously configured using the TSIG Key for Server Pair DNS deployment option. In Integrity v26.1.0, each view now contains a unique hidden seed (salt) value that is used during remote TSIG key generation for increased security. This new seed value, along with internal TSIG key naming improvements, has eliminated the need for the TSIG Key for Server Pair DNS deployment option. It is now default behaviour to generate unique TSIG keys for each server pair, and new server-pair TSIG keys are generated with the view's seed value, instead of the previously defined Key salt value from the DNS deployment option. As such, the TSIG Key for Server Pair option has been removed from Address Manager.

Integrity also generates local TSIG keys for each view, which are used by DNS/DHCP Servers to authenticate local control traffic such as dynamic deployments and local Incremental Zone Transfer Protocol (IXFR) harvesting. For v26.1.0 DNS/DHCP Servers, local TSIG keys are now generated on the DNS/DHCP Server side and rotated each time a full deployment is performed. For v25.1.x and earlier DNS/DHCP Servers controlled by Address Manager v26.1.0, the new view seed value will be used to generate local TSIG keys for DNS/DHCP Servers, and these keys can be rotated on demand.

A view's seed value can be regenerated on demand from the Address Manager UI, allowing users to manually rotate local (DNS/DHCP Server v25.1.x and earlier) and server-pair TSIG keys as needed.

To rotate TSIG keys for a view: