3.7 TSIG
DNSsec, described in the previous section, has several drawbacks. Asymmetrical cryptography is so demanding that using this mechanism for DNS Update is difficult. RFC 2845 specifies an alternative mechanism referred to as TSIG (Transaction Signatures).
TSIG is aimed at authorizing between two systems. Both systems mutually exchange shared secrets. The data transferred between these two systems are then authorized by the HMAC-MD5 algorithm, i.e., the shared secrets create concatenate with the data to be transferred and the result is then used for calculating the hash with the MD-5 algorithm.
This cryptographic checksum is transferred in the TSIG record. This record is recreated for any data transferred; so there is no reason to keep it in the database.
The shared secret can also be created by the already mentioned dnssec-keygen tool:
dnssec-keygen -a hmac-md5 -b 128 -n HOST computer1-computer2
Again, this program will create two files, Kcomputer1-computer2.+157+38038.key and Kcomputer1...
