Understanding zone file transfer and TSIG

For maintaining strong security, the primary DNS is maintained as a hidden master only able to communicate with authorized secondary DNS servers with the correct IP address. This is a critical step in maintaining a secure, reliable and easy to maintain DNS.

When any changes are made to the DNS in the primary name server it sends a “NOTIFY” DNS transaction to the secondary. If the secondary does not have the most up-to-date record it requests an update using a full zone transfer (AXFR) or an Incremental Zone Transfer (IXFR). The communication is over UDP or TCP as a client-server transaction and as a result is generally an open communication over an unsecured network (i.e. the Internet).

Since communication between name servers is open, authentication is critical because without it lasting changes to the DNS can be made that IT departments would have trouble overcoming. TSIG is a networking protocol that is defined in RFC2845 (Note: “RFC”, or request for comment, is the nomenclature used by ICANN to make technical specifications and policy decisions) and it is used to provide authentication for dynamic DNS updates or communication between name servers.

When TSIG is used to secure communications between a primary and secondary name server, a cryptographic signature generated using a shared key and is added to all DNS packets exchanged between the servers. This ensures that the DNS packets originate from an authorized name server and have not been altered on route.

In addition to a key, the protocol includes a timestamp so that communications cannot be intercepted and used at a later time (and therefore requires that the systems use an accurate time source for their clocks).

A TSIG record is created and added to all DNS messages between the names servers. The following fields are included in a TSIG record:

Field Bytes Description
NAME max 256 Key name, which must be unique on client and server
TYPE 2 TSIG (250)
CLASS 2 ANY (255)
TTL 4 0 (since TSIG records must not be cached)
RDLENGTH 2 Length of RDATA field
RDATA variable Structure containing the timestamp, algorithm and hash data