Linux.ie: Securing DNS with Transaction SignaturesJan 21, 2001, 17:42 (1 Talkback[s])
(Other stories by James Raftery)
[ Thanks to Ken Guest for this link. ]
"The Domain Name System (DNS) is a replicated, distributed, hierarchical database of information that is a core service needed for the modern internet to function. If you're new to the Domain Name System please read Thomas Bridge's article. This article is primarily aimed at those familiar with basic DNS concepts and the operation and configuration of a DNS server."
"This article concentrates on BIND, the de-facto standard implementation of DNS. Other implementations can achieve the same results using these directions, however the instructions and examples below are for administrators of a BIND 8.x or BIND 9.x nameserver."
"The DNS works on a question-answer model. If a client needs information from the DNS it sends a question to a DNS server and the server returns an answer. Until recently it was only possible for a server to examine a question and determine whether or not to answer it based on the IP address the question originated from. This is not ideal. Authentication using source IP address alone is considered insecure. Transaction Signatures, or TSIG for short, add cryptographic signatures as a method of authenticating a DNS conversation. It uses a shared secret to establish trust between the communicating parties."