Using Transaction Signature (TSIG)

NSD supports Transaction Signature (TSIG) for zone transfer and for notify sending and receiving, for any query to the server.

TSIG keys are based on shared secrets. These must be configured in the config file. To keep the secret in a separate file use include: "filename" to include that file.

An example TSIG key named sec1_key:

key:
  name: "sec1_key"
  algorithm: hmac-md5
  secret: "6KM6qiKfwfEpamEq72HQdA=="

This key can then be used for any query to the NSD server. NSD will check if the signature is valid, and if so, return a signed answer. Unsigned queries will be given unsigned replies.

The key can be used to restrict the access control lists, for example to only allow zone transfer with the key, by listing the key name on the access control line.

# provides AXFR to the subnet when TSIG is used.
provide-xfr: 10.11.12.0/24 sec1_key
# allow only notifications that are signed
allow-notify: 192.168.0.0/16 sec1_key

If the TSIG key name is used in notify or request-xfr lines, the key is used to sign the request/notification messages.