Define Transaction Signature (TSIG) keys used for DDNS updates and secure zone transfers.
- to allow a DHCP Server to perform secure DDNS updates to a DNS server.
- to allow a DNS Server to receive secure DDNS updates from a DDNS client.
- to secure zone transfers and other DNS deployment options.
The TSIG Key Server Pair DNS deployment option has been removed from Address Manager v26.1, as starting in v26.1 server-pair TSIG keys are generated with a seed value contained by the view. Ensure that both primary and secondary DNS/DHCP Servers in a server pair are running the same version, as different software levels may result in deployment or zone transfer failures.
To create a TSIG key, you specify a name for the key, an algorithm, and the length of the key in bits. Address Manager can create the key value automatically, or you can manually type a Base64-encoded string for the key. Use the manual option when you need to add keys that already exist on your DNS and DHCP servers to Address Manager.
You define TSIG keys in the TSIG keys tab at the configuration level (). Keys defined here can be used in DNS deployment options set anywhere in the configuration, and in DHCP forward and reverse zones. Keys intended for use with DNS deployment options to secure DDNS updates and zone transfers may use any of the available algorithms. For more information on using TSIG keys with DNS deployment options, refer to DNS deployment options.
A compromised key can mean part (or all) of the key has been deciphered through cryptographic analysis by a malicious attacker, or a malicious attacker has gained physical access to the keys. In either case, new keys must be generated in order to preserve the security of your DNS/DHCP environment.