Managing TSIG Keys

TSIG (Transaction Signature), also referred to as Secret Key Transaction Authentication, ensures that DNS packets originate from an authorized sender by using shared secret keys and one-way hashing to add a cryptographic signature to the DNS packets. TSIG keys are used to enable DNS to authenticate updates to secondary zones. TSIG keys provide an added layer of security for IXFR and AXFR transactions. A TSIG key consists of a key name, a signing algorithm, and a secret. See RFC 2845 for more information. TSIG keys can also be managed in DNS Zone Management. See Managing DNS Service Zones for more information.

Using the Console

To create a TSIG key
  1. Open the navigation menu. Under Core Infrastructure, go to Networking, DNS Management, and click TSIG Keys.
  2. Click Create TSIG key.
  3. In the Create TSIG Key dialog box, enter the following:

    • Name: The name of the key used in domain name syntax. The name should reflect the names of the hosts and uniquely identify the key among a set of keys these two hosts may share at any given time.
    • Algorithm: Select the public key's algorithm used to encrypt or decrypt data. Applicable algorithms include hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256, hmac-h384, and hmac-sha512.
    • Secret: The base64 string encoding the binary shared secret that corresponds to the key. A maximum value of 255 characters is allowed.
    • Tags: Optionally, you can apply tags. If you have permissions to create a resource, you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you are not sure if you should apply tags, skip this option (you can apply tags later) or ask your administrator.
  4. Click Create TSIG Key. The TSIG key details appear.
To view the details of a TSIG key
  1. Open the navigation menu. Under Core Infrastructure, go to Networking, DNS Management, and click TSIG Keys.
  2. Click the name of the TSIG key you want to view. TSIG key details and a list of associated zones appear.
  3. To view the Secret assigned to the key, click Show beside the Secret field.
  4. In the View Secret dialog box, click Close.
To delete a TSIG key
Note

A TSIG key attached to a zone must be removed from the zone in DNS Zone Management. See Managing DNS Service Zones for more information.

  1. Open the navigation menu. Under Core Infrastructure, go to Networking, DNS Management, and click TSIG Keys.
  2. Find the TSIG key in the list, click the Actions icon (three dots), and then click Delete.
  3. In the confirmation dialog box, click Delete.
To move a TSIG key to another compartment
  1. Open the navigation menu. Under Core Infrastructure, go to Networking, DNS Management, and click TSIG Keys.
  2. In the Scope section, select a compartment.
  3. Find the TSIG key in the list, click the Actions icon (three dots), and then click Move Resource.
  4. Choose the destination compartment from the list.
  5. Click Move Resource.

    For more information, see Managing Compartments.