Book Image

DNS in Action

By : CP Books a.s.
Book Image

DNS in Action

By: CP Books a.s.

Overview of this book

The Domain Name System is one of the foundations of the internet. It is the system that allows the translation of human-readable domain names into machines-readable IP addresses and the reverse translation of IP addresses into domain names. This book describes the basic DNS protocol and its extensions; DNS delegation and registration, including for reverse domains; using DNS servers in networks that are not connected to the internet; and using DNS servers on firewall machines. Many detailed examples are used throughout the book to show perform various configuration and administration tasks.
Table of Contents (16 chapters)
DNS in Action
About the Authors
Country Codes and RIRs

3.7 TSIG

DNSsec, described in the previous section, has several drawbacks. Asymmetrical cryptography is so demanding that using this mechanism for DNS Update is difficult. RFC 2845 specifies an alternative mechanism referred to as TSIG (Transaction Signatures).

TSIG is aimed at authorizing between two systems. Both systems mutually exchange shared secrets. The data transferred between these two systems are then authorized by the HMAC-MD5 algorithm, i.e., the shared secrets create concatenate with the data to be transferred and the result is then used for calculating the hash with the MD-5 algorithm.

This cryptographic checksum is transferred in the TSIG record. This record is recreated for any data transferred; so there is no reason to keep it in the database.

The shared secret can also be created by the already mentioned dnssec-keygen tool:

dnssec-keygen -a hmac-md5 -b 128 -n HOST computer1-computer2

Again, this program will create two files, Kcomputer1-computer2.+157+38038.key and Kcomputer1...