Jump to content

Generic Security Service Algorithm for Secret Key Transaction

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by Bomazi (talk | contribs) at 21:10, 6 May 2013 (Disambiguated: KerberosKerberos (protocol) (2) using Dab solver). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

GSS-TSIG (Generic Security Service Algorithm for Secret Key Transaction) is an extension to the TSIG DNS authentication protocol for secure key exchange. It is a GSS-API algorithm which uses Kerberos for passing security tokens to provide authentication, integrity and confidentiality.

GSS-TSIG (RFC 3645) uses a mechanism like SPNEGO with Kerberos or NTLM. In Windows, this implementation is called Secure Dynamic Update.[1]

GSS-TSIG uses TKEY records for key exchange between the DNS client and server in GSS-TSIG mode. For authentication between the DNS client and Active Directory, the AS-REQ, AS-REP, TGS-REQ, TGS-REP exchanges must take place for granting of ticket and establishing a security context. The security context has a limited lifetime during which dynamic updates to the DNS server can take place.

References