Submit a ticketCall us

Training ClassThe Orion® Platform Instructor-led Classes

Provided by SolarWinds® Academy, these trainings will introduce users to the Orion Platform and its features, management, and navigation. These courses are suitable for users looking to discover new tips, tricks, and ways to adapt their Orion products to better suit their monitoring needs:
Deploying the Orion Platform
Configuring Orion views, maps, and accounts
Configuring Orion alerts and reports

Reserve your seat.

Home > Success Center > Orion Platform > Orion Documentation > Orion Platform Administrator Guide > High Availability in SolarWinds products > What are Transaction Signatures?

What are Transaction Signatures?

Created by Magdalena.Markova, last modified by Magdalena.Markova on Sep 13, 2017

Views: 340 Votes: 0 Revisions: 3

Updated: September 13, 2017

This topic applies to all Orion Platform products except for SolarWinds ETS.

We require transaction signatures (TSIG) when interacting with BIND DNS instead of administrator credentials. TSIG grants greater security when updating the DNS server.

The TSIG shared secret key name is the name you gave the key in the configuration file.

The TSIG shared key value is the value contained in the .private file created when you generate the TSIG secret. Use the string after Key: in the file.

You must configure your BIND DNS name server in the DNS zone to use the TSIG key you use when creating the HA pool. The key must use the HMAC-MD5 message authentication code with a key size between 1 and 512 bytes. You can use the dnssec-keygen utility included in your BIND installation to generate a new key.

If you have never used transaction signatures with BIND DNS before, you must also modify the BIND configuration file to allow DNS updates signed by newly registered TSIG.

Modify BIND DNS to use TSIG example

The following is provided as an example only. SolarWinds does not guarantee that this example will work as expected, nor do we support issues regarding BIND DNS. Create backups of your configuration file before beginning, and consult with your vendor's documentation.

  1. Log on to your BIND DNS server as an administrator.
  2. Open a command prompt and run the following command:
    # dnssec-keygen -a HMAC-MD5 -b <keysize> -n HOST <keyname>

    The command returns information similar to the following and saves the output to pair of text files having suffix .key and .private:

    K<keyname>.+157+08924

  3. Run the following command to display the generated key:
    # cat K<keyname>.+157+08924.key

    For example, it returns a response similar to the following:

    <keyname>. IN KEY 512 3 157 <secret value>
  4. Register the key in BIND by adding the following code to the configuration file (usually located in /etc/named.conf or /etc/bind/named.conf):
    key "<keyname>" {
    algorithm hmac-md5;
    secret "<secret value>";
    };
  5. Recofigure BIND using the following command:
    rndc reconfig
  6. Verify that the new key is registered in your BIND server by running the following command: # rndc tsig-list

    This command returns information similar to the following:

    view "_default"; type "static"; key "bindupdate";
    view "_default"; type "static"; key "local-ddns";
    view "_default"; type "static"; key "<keyname>";
    view "_default"; type "static"; key "rndc-key";
    view "_bind"; type "static"; key "bindupdate";
    view "_bind"; type "static"; key "local-ddns";
    view "_bind"; type "static"; key "<keyname>";
    view "_bind"; type "static"; key "rndc-key";
  7. Modify the zone section in the BIND configuration file to allow DDNS updates signed by the registered TSIG.
  8. Recofigure BIND using the following command:
    rndc reconfig
 
Last modified

Tags

Classifications

Public