TSIG keys - BlueCat Integrity - 9.3.0

Address Manager Administration Guide

Product name
BlueCat Integrity

Define Transaction Signature (TSIG) keys used for DDNS updates and secure zone transfers.

You can define Transaction Signature (TSIG) keys in Address Manager for the following functions:
  • to allow a DHCP Server to perform secure DDNS updates to a DNS server
  • to allow a DNS Server to receive secure DDNS updates from a DDNS client
  • to secure zone transfers and other DNS deployment options.

Any inter-communicating DNS Servers (such as DNS servers in a primary/secondary relationship) using the TSIG Key Server Pair DNS deployment option must all be on the same software level. For example, a primary and its secondary servers must all be running DNS/DHCP Server software version 9.3.0. DNS/DHCP Servers running different software levels might result in deployment or zone transfer failures.

For more information on the TSIG Key Pair DNS deployment option, refer to Reference: DNS deployment options.

To create a TSIG key, you specify a name for the key, an algorithm, and the length of the key in bits. Address Manager can create the key value automatically, or you can manually type a Base64-encoded string for the key. Use the manual option when you need to add keys that already exist on your DNS and DHCP servers to Address Manager.

You define TSIG keys at the configuration level on the TSIG Keys page tab found on the IP Space, DNS, Devices, TFTP, and Servers main tabs. Keys defined here can be used in DNS Deployment Options set anywhere in the configuration, and in DHCP Forward and Reverse Zones. Keys intended for use with DHCP zones must be defined with the HMAC MD5 algorithm. Keys intended for use with DNS deployment options to secure DDNS updates and zone transfers may use any of the available algorithms. For more information on using TSIG keys with DNS deployment options, refer to DNS deployment options.

When viewing the details for a TSIG key, you can view the objects to which it's linked. You can't delete a TSIG key if it's linked to or used by another Address Manager object. Should a key become compromised, you can perform an emergency rollover to regenerate the key. After regenerating one or more TSIG keys, you need to deploy the configuration to your server or servers.
Tip: What's a “compromised” key?

A compromised key can mean part (or all) of the key has been deciphered through cryptographic analysis by a malicious attacker, or a malicious attacker has gained physical access to the keys. In either case, new keys must be generated in order to preserve the security of your DNS/DHCP environment.