What are Transaction Signatures?

We require transaction signatures (TSIG) when interacting with BIND DNS instead of administrator credentials. TSIG grants greater security when updating the DNS server.

The TSIG shared secret key name is the name you gave the key in the configuration file.

The TSIG shared key value is the value contained in the .private file created when you generate the TSIG secret. Use the string after Key: in the file.

You must configure your BIND DNS name server in the DNS zone to use the TSIG key you use when creating the HA pool. The key must use the HMAC-MD5 message authentication code with a key size between 1 and 512 bytes. You can use the dnssec-keygen utility included in your BIND installation to generate a new key.

If you have never used transaction signatures with BIND DNS before, you must also modify the BIND configuration file to allow DNS updates signed by newly registered TSIG.

Modify BIND DNS to use TSIG example

The following is provided as an example only. SolarWinds does not guarantee that this example will work as expected, nor do we support issues regarding BIND DNS. Create backups of your configuration file before beginning, and consult with your vendor's documentation.

1. Log on to your BIND DNS server as an administrator.
2. Open a command prompt and run the following command:
   # dnssec-keygen -a HMAC-MD5 -b <keysize> -n HOST <keyname>

   The command returns information similar to the following and saves the output to pair of text files having suffix .key and .private:

   K<keyname>.+157+08924

   • A keyname must be a valid domain name without any space and it cannot begin with DHCP_UPDATER.
   • The keyname must not include any upper case characters.
3. Run the following command to display the generated key:
   # cat K<keyname>.+157+08924.key

   For example, it returns a response similar to the following:

   <keyname>. IN KEY 512 3 157 <secret value>
4. Register the key in BIND by adding the following code to the configuration file (usually located in /etc/named.conf or /etc/bind/named.conf):
   

   key "<keyname>" {
   algorithm hmac-md5;
   secret "<secret value>";
   };

5. Recofigure BIND using the following command:
   rndc reconfig
6. Verify that the new key is registered in your BIND server by running the following command: # rndc tsig-list

   This command returns information similar to the following:

   view "_default"; type "static"; key "bindupdate";
   view "_default"; type "static"; key "local-ddns";
   view "_default"; type "static"; key "<keyname>";
   view "_default"; type "static"; key "rndc-key";
   view "_bind"; type "static"; key "bindupdate";
   view "_bind"; type "static"; key "local-ddns";
   view "_bind"; type "static"; key "<keyname>";
   view "_bind"; type "static"; key "rndc-key";

7. Modify the zone section in the BIND configuration file to allow DDNS updates signed by the registered TSIG.
   
8. Recofigure BIND using the following command:
   rndc reconfig

The scripts are not supported under any SolarWinds support program or service. The scripts are provided AS IS without warranty of any kind. SolarWinds further disclaims all warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The risk arising out of the use or performance of the scripts and documentation stays with you. In no event shall SolarWinds or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the scripts or documentation.