Generic Security Service Algorithm for Secret Key Transaction
Encyclopedia
GSS-TSIG is an extension to the TSIG
DNS authentication protocol
for secure key exchange. It is a GSS-API algorithm which uses Kerberos
for passing security tokens to provide authentication, integrity and confidentiality.
GSS-TSIG (RFC 3645) uses a mechanism like SPNEGO
with Kerberos
or NTLM
. In Windows, this implementation is called Secure Dynamic Update.
GSS-TSIG uses TKEY record
s for key exchange between the DNS client and server in GSS-TSIG mode. For authentication between the DNS client and Active Directory
, the AS-REQ, AS-REP, TGS-REQ, TGS-REP exchanges must take place for granting of ticket and establishing a security context. The security context has a limited lifetime during which dynamic updates to the DNS server can take place.
TSIG
TSIG is a computer networking protocol definedin RFC 2845. It is used primarily by the Domain Name System to provide a means of authenticating updates to a Dynamic DNS database, although it can also be used between servers and for regular queries...
DNS authentication protocol
Authentication protocol
An authentication protocol is a type of cryptographic protocol with the purpose of authenticating entities wishing to communicate securely.There are many different authentication protocols such as:* AKA* CAVE-based_authentication...
for secure key exchange. It is a GSS-API algorithm which uses Kerberos
Kerberos
Kerberos may refer to:* Cerberus, the hound of Hades * Kerberos saga, a science fiction series by Mamoru Oshii* Kerberos , a computer network authentication protocol* Kerberos Dante, a character from Saint Seiya...
for passing security tokens to provide authentication, integrity and confidentiality.
GSS-TSIG (RFC 3645) uses a mechanism like SPNEGO
SPNEGO
SPNEGO is a GSSAPI "pseudo mechanism" that is used to negotiate one of a number of possible real mechanisms....
with Kerberos
Kerberos
Kerberos may refer to:* Cerberus, the hound of Hades * Kerberos saga, a science fiction series by Mamoru Oshii* Kerberos , a computer network authentication protocol* Kerberos Dante, a character from Saint Seiya...
or NTLM
NTLM
In a Windows network, NTLM is a suite of Microsoft security protocols that provides authentication, integrity, and confidentiality to users....
. In Windows, this implementation is called Secure Dynamic Update.
GSS-TSIG uses TKEY record
TKEY record
TKEY is a record type of the Domain Name System.TKEY RRs can used in number of different modes to establish shared keys between a DNS resolver and Server.-TKEY record format:-Mode Field values:* 0 - Reserved* 1 - Server assignment...
s for key exchange between the DNS client and server in GSS-TSIG mode. For authentication between the DNS client and Active Directory
Active Directory
Active Directory is a directory service created by Microsoft for Windows domain networks. It is included in most Windows Server operating systems. Server computers on which Active Directory is running are called domain controllers....
, the AS-REQ, AS-REP, TGS-REQ, TGS-REP exchanges must take place for granting of ticket and establishing a security context. The security context has a limited lifetime during which dynamic updates to the DNS server can take place.