About DNS

The TOE provides DNS service. There are two basic methods used to protect DNS communication: TSIG and GSS-TSIG. The TSIG (transaction signature) method signs communications using either HMAC-MD5 or HMAC-SHA25. Both end points must be configured with the key. The GSS-TSIG method (based on the GSS API) uses a Kerberos server to retrieve the key, and is only available in Microsoft environments.
When you configure the TOE to use TSIG and GSS-TSIG keys, you must select HMAC-SHA256 as the key algorithm. For information about using TSIG keys to ensure security in several DNS operations, see the following:

• To control access to DNS views. For more information, see Defining Match Clients Lists and Configuration Example: Configuring a DNS View.
• To control to which recursive and non-recursive queriers the TOE is allowed to respond. For more information, see Specifying Queries and Enabling Recursion.
• To authenticate zone transfer requests and replies. For more information, see Configuring Zone Transfers.
• To authenticate and verify dynamic DNS updates from DHCP servers. For more information, see Enabling DNS Servers to Accept DDNS Updates.
• When a secondary DNS server receives DDNS updates, it must forward the updates to the primary server because it cannot update zone data itself. To specify the source of DDNS updates. For more information, see Forwarding Updates.

For information about using GSS-TSIG, see About GSS-TSIG.