STD 93

RFC 8945

Secret Key Transaction Authentication for DNS (TSIG), November 2020

File formats:

icon for HTML icon for text file icon for v3pdf icon for XML
Also available: XML file for editing
RFC 2845, RFC 4635
F. Dupont
S. Morris
P. Vixie
D. Eastlake 3rd
O. Gudmundsson
B. Wellington
dnsop (ops)

Cite this RFC: TXT  |  XML  |   BibTeX

DOI:  10.17487/RFC8945

Discuss this RFC: Send questions or comments to the mailing list [email protected]

Other actions: Submit Errata  |  Find IPR Disclosures from the IETF  |  View History of RFC 8945


This document describes a protocol for transaction-level authentication using shared secrets and one-way hashing. It can be used to authenticate dynamic updates to a DNS zone as coming from an approved client or to authenticate responses as coming from an approved name server.

No recommendation is made here for distributing the shared secrets; it is expected that a network administrator will statically configure name servers and clients using some out-of-band mechanism.

This document obsoletes RFCs 2845 and 4635.

For the definition of Status, see RFC 2026.

For the definition of Stream, see RFC 8729.

Advanced Search