Document toolboxDocument toolbox

Configuring GSS-TSIG

Owned by Sri Raghu
Last updated: Sept 06, 2024
2 min read

GSS-TSIG (Generic Security Service Algorithm for Secret Key Transaction) is used to authenticate DDNS updates. It is a variant of the TSIG authentication which uses the Kerberos v5 authentication system.

GSS-TSIG consists of a set of client-server negotiations to establish a security context. It makes use of a Kerberos server (for example, when it is running on the AD domain controller) that functions as the Kerberos KDC (Key Distribution Center) and provides session tickets and temporary session keys to users and computers within an Active Directory (AD) domain. Together, the client and server create and verify transaction signatures on messages they exchange. Microsoft Server versions 2012 R2, 2016, and 2019 support DDNS updates that use GSS-TSIG. You can configure the NIOS-X Server to accept GSS-TSIG–signed DDNS updates from one or more clients that belong to different AD domains in which each domain has a unique Kerberos key that corresponds to a DNS service principal.

The following is a high-level diagram of the GSS-TSIG process:


To view the list of GSS-TSIG entries:

  • If you are a user,  click Configure > Administration > TSIG Keys > GSS-TSIG. If there are multiple entries, click the particular entry to view its details. If there are no entries, you can create one by following the instructions in Creating GSS-TSIG.
  • If you are an administrator, you can create, edit, or delete a GSS-TSIG entry. If you are a user, you can only view a GSS-TSIG entry. For more information, see Role-based Access Control.

After enabling GSS-TSIG, you can view the transactions in service logs. For more information, see Viewing Service Logs.

You can also do the following in the GSS-TSIG tab:

  • Reorder the columns, or select the columns to be displayed: Click the menu button, .

  • Modify a GSS-TSIG entry: Click the menu button,  and then Edit, or select the checkbox for a specific record and click the Edit button.

  • Delete the GSS-TSIG entry: Click the menu button,  and then Delete, or select the respective AnyCast address and click the Delete button. A GSS-TSIG entry can be deleted only if it is not used in the GSS-TSIG DNS configuration in the Global DNS Properties, in the DNS Config profile, or at the level of the DNS server.

  • GSS-TSIG entry's information, such as principal, algorithm, version, domain (realm), comment, and tags are shown in the information pane by default. Comment and tags can be modified. If you do not want to view the details in the panel on the right, click the information button, .

  • Search for records in Universal DDI according to a specific keyword: Type the keyword in the Search text box. 

  • Filter the objects by Principal, Domain, Version, Algorithm, Comments, or Tags:  Click the filter button, .  To save a filter after selecting the required parameters click the save button, , specify a name for the filter, and click Save & Close. To reload a previously saved filter, click the star button, , and select the required filter. 

You can perform the following actions: