TSIG

Transaction Signature: a shared-secret HMAC scheme that authenticates DNS messages, used most often to secure AXFR and dynamic updates.

TSIG (Transaction Signature) authenticates DNS messages using a shared symmetric key and an HMAC. The primary and secondary nameservers (or a DNS client and server) agree on a key out of band, then sign each request and response. TSIG is the standard way to lock down AXFR/IXFR zone transfers so only authorised secondaries can pull a zone, and to authenticate dynamic DNS updates from DHCP servers. Unlike DNSSEC, TSIG is point-to-point and uses pre-shared keys, so it does not need to scale to the public internet.

Reference

RFC 8945

Related terms

AXFR
IXFR
Zone Transfer
Nameserver

Referenced on

Complete Guide to DNS Attacks and DNS Security (Prevention, Testing & Mitigation)
DNS Zone Transfer Attack (AXFR): How a Single Query Exposes Your Entire Domain

Back to the full glossary

Reference

Related terms

See also

Referenced on