Submit a ticketCall us

Announcing NCM 7.7
With NCM 7.7, you can examine the rules that make up an access control list for a Cisco ASA device. Then you can apply filters to display only rules that meet the specified criteria, order the rules by line number or by the hit count, and much more.
See new features and improvements.

Home > Success Center > Orion Platform > Orion Documentation > Orion Platform Administrator Guide > High Availability in SolarWinds products > What are Transaction Signatures?

What are Transaction Signatures?

Created by Magdalena.Markova, last modified by Magdalena.Markova on Sep 13, 2017

Views: 16 Votes: 0 Revisions: 3

Updated: September 13, 2017

We require transaction signatures (TSIG) when interacting with BIND DNS instead of administrator credentials. TSIG grants greater security when updating the DNS server.

The TSIG shared secret key name is the name you gave the key in the configuration file.

The TSIG shared key value is the value contained in the .private file created when you generate the TSIG secret. Use the string after Key: in the file.

You must configure your BIND DNS name server in the DNS zone to use the TSIG key you use when creating the HA pool. The key must use the HMAC-MD5 message authentication code with a key size between 1 and 512 bytes. You can use the dnssec-keygen utility included in your BIND installation to generate a new key.

If you have never used transaction signatures with BIND DNS before, you must also modify the BIND configuration file to allow DNS updates signed by newly registered TSIG.

Modify BIND DNS to use TSIG example

The following is provided as an example only. SolarWinds does not guarantee that this example will work as expected, nor do we support issues regarding BIND DNS. Create backups of your configuration file before beginning, and consult with your vendor's documentation.

  1. Log on to your BIND DNS server as an administrator.
  2. Open a command prompt and run the following command:
    # dnssec-keygen -a HMAC-MD5 -b <keysize> -n HOST <keyname>

    The command returns information similar to the following and saves the output to pair of text files having suffix .key and .private:


  3. Run the following command to display the generated key:
    # cat K<keyname>.+157+08924.key

    For example, it returns a response similar to the following:

    <keyname>. IN KEY 512 3 157 <secret value>
  4. Register the key in BIND by adding the following code to the configuration file (usually located in /etc/named.conf or /etc/bind/named.conf):
    key "<keyname>" {
    algorithm hmac-md5;
    secret "<secret value>";
  5. Recofigure BIND using the following command:
    rndc reconfig
  6. Verify that the new key is registered in your BIND server by running the following command: # rndc tsig-list

    This command returns information similar to the following:

    view "_default"; type "static"; key "bindupdate";
    view "_default"; type "static"; key "local-ddns";
    view "_default"; type "static"; key "<keyname>";
    view "_default"; type "static"; key "rndc-key";
    view "_bind"; type "static"; key "bindupdate";
    view "_bind"; type "static"; key "local-ddns";
    view "_bind"; type "static"; key "<keyname>";
    view "_bind"; type "static"; key "rndc-key";
  7. Modify the zone section in the BIND configuration file to allow DDNS updates signed by the registered TSIG.
  8. Recofigure BIND using the following command:
    rndc reconfig
Last modified
13:10, 13 Sep 2017