STD 93

RFC 8945

Secret Key Transaction Authentication for DNS (TSIG), November 2020

File formats:

icon for HTML icon for text file icon for v3pdf icon for XML icon for inline errata
RFC 2845, RFC 4635
F. Dupont
S. Morris
P. Vixie
D. Eastlake 3rd
O. Gudmundsson
B. Wellington
dnsop (ops)

Cite this STD: TXT  |  XML

Discuss this RFC: Send questions or comments to the mailing list

Other actions: View Errata  |  Submit Errata  |  Find IPR Disclosures from the IETF  |  View History of RFC


This document describes a protocol for transaction-level authentication using shared secrets and one-way hashing. It can be used to authenticate dynamic updates to a DNS zone as coming from an approved client or to authenticate responses as coming from an approved name server.

No recommendation is made here for distributing the shared secrets; it is expected that a network administrator will statically configure name servers and clients using some out-of-band mechanism.

This document obsoletes RFCs 2845 and 4635.

For the definition of Status, see RFC 2026.

For the definition of Stream, see RFC 8729.

Advanced Search