In 2017, security problems were discovered in two nameservers strictly that were following [RFC2845] and and [RFC4635] (i.e.that is, TSIG and HMAC-SHA extension) specifications were discoveredstrictly. The implementations were fixed but, and to avoid similar problems in the future, the two specification documents were updated and merged, producing these revised specifications ; the result is the revised specification for TSIG.
The second area where the secret key based key–based MACs specified in this document can be used is to authenticate DNS-update requests as well as and transaction responses, providing . This approach would be a lightweight alternative to the protocol described by in [RFC3007].
| Note | ||
|---|---|---|
| ||
Use of TSIG presumes prior agreement between that the resolver and server involved as to have already agreed about the algorithm and key to be usedthey will use. |