Submit a ticketCall us

WebinarUpcoming Webinar: How Help Desk and Remote Support Pays for Itself

Learn how help desk software can simplify ticketing management, allow you to track hardware and software assets, and accelerate the speed of IT support and service delivery. Gain insights on how remote support tools allow your IT team to maximize their efficiency and ticket resolution by expediting desktop troubleshooting, ultimately helping keep end-users happy and productive.

Register here.

Home > Success Center > Orion Platform > Orion Documentation > Orion Platform Administrator Guide > High Availability in SolarWinds products > What are Transaction Signatures?

What are Transaction Signatures?

Created by Magdalena.Markova, last modified by Magdalena.Markova on Sep 13, 2017

Views: 193 Votes: 0 Revisions: 3

Updated: September 13, 2017

This Orion Platform topic applies to the highlighted products:

DPAIMEOCETSIPAMLMNCMNPMNTASAMSRMUDTVMANVNQMWPM

We require transaction signatures (TSIG) when interacting with BIND DNS instead of administrator credentials. TSIG grants greater security when updating the DNS server.

The TSIG shared secret key name is the name you gave the key in the configuration file.

The TSIG shared key value is the value contained in the .private file created when you generate the TSIG secret. Use the string after Key: in the file.

You must configure your BIND DNS name server in the DNS zone to use the TSIG key you use when creating the HA pool. The key must use the HMAC-MD5 message authentication code with a key size between 1 and 512 bytes. You can use the dnssec-keygen utility included in your BIND installation to generate a new key.

If you have never used transaction signatures with BIND DNS before, you must also modify the BIND configuration file to allow DNS updates signed by newly registered TSIG.

Modify BIND DNS to use TSIG example

The following is provided as an example only. SolarWinds does not guarantee that this example will work as expected, nor do we support issues regarding BIND DNS. Create backups of your configuration file before beginning, and consult with your vendor's documentation.

  1. Log on to your BIND DNS server as an administrator.
  2. Open a command prompt and run the following command:
    # dnssec-keygen -a HMAC-MD5 -b <keysize> -n HOST <keyname>

    The command returns information similar to the following and saves the output to pair of text files having suffix .key and .private:

    K<keyname>.+157+08924

  3. Run the following command to display the generated key:
    # cat K<keyname>.+157+08924.key

    For example, it returns a response similar to the following:

    <keyname>. IN KEY 512 3 157 <secret value>
  4. Register the key in BIND by adding the following code to the configuration file (usually located in /etc/named.conf or /etc/bind/named.conf):
    key "<keyname>" {
    algorithm hmac-md5;
    secret "<secret value>";
    };
  5. Recofigure BIND using the following command:
    rndc reconfig
  6. Verify that the new key is registered in your BIND server by running the following command: # rndc tsig-list

    This command returns information similar to the following:

    view "_default"; type "static"; key "bindupdate";
    view "_default"; type "static"; key "local-ddns";
    view "_default"; type "static"; key "<keyname>";
    view "_default"; type "static"; key "rndc-key";
    view "_bind"; type "static"; key "bindupdate";
    view "_bind"; type "static"; key "local-ddns";
    view "_bind"; type "static"; key "<keyname>";
    view "_bind"; type "static"; key "rndc-key";
  7. Modify the zone section in the BIND configuration file to allow DDNS updates signed by the registered TSIG.
  8. Recofigure BIND using the following command:
    rndc reconfig
 
Last modified

Tags

Classifications

Public