Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

GSS-TSIG (Generic Security Service Algorithm for Secret Key Transaction) is used to authenticate DDNS updates. It is a variant of the TSIG authentication which uses the Kerberos v5 authentication system.

GSS-TSIG consists of a set of client-server negotiations to establish a security context. It makes use of a Kerberos server (for example, when it is running on the AD domain controller) that functions as the Kerberos KDC (Key Distribution Center) and provides session tickets and temporary session keys to users and computers within an Active Directory (AD) domain. Together, the client and server create and verify transaction signatures on messages they exchange. Microsoft Server versions 2012 R2, 2016, and 2019 support DDNS updates that use GSS-TSIG. You can configure the host to accept GSS-TSIG–signed DDNS updates from one or more clients that belong to different AD domains in which each domain has a unique Kerberos key that corresponds to a DNS service principal.

The following is a high-level diagram of the GSS-TSIG process:

1. Generate a keytab file from the Active Directory Kerberos server, and upload it to the Cloud Services Portal. 2. Select Allow GSS-TSIG signed updates in Global DNS Configuration. 3. The client sends a transaction key request. The DNS server responds with a signed TSIG. 4. The client sends an authenticated DDNS update to the DNS server.


To view the list of GSS-TSIG entries:

  • If you are a user,  click Manage > Keys > GSS-TSIG. If there are multiple entries, click the particular entry to view its details. If there are no entries, you can create one by following the instructions in Creating GSS-TSIG.
  • If you are an administrator, you can create, edit, or delete a GSS-TSIG entry. If you are a user, you can only view a GSS-TSIG entry. For more information, see Role-based Access Control.

After enabling GSS-TSIG, you can view the transactions in service logs. For more information, see Viewing Service Logs.

You can also do the following in the GSS-TSIG tab:

  • Reorder the columns, or select the columns to be displayed: Click .

  • Modify a GSS-TSIG entry: Click  Edit, or select the checkbox for a specific record and click the Edit button.

  • Delete the GSS-TSIG entry: Click  > Deleteor select the respective AnyCast address and click the Delete button. A GSS-TSIG entry can be deleted only if it is not used in the GSS-TSIG DNS configuration in the Global DNS Properties, in the DNS Config profile, or at the level of the DNS server.

  • GSS-TSIG entry's information, such as principal, algorithm, version, domain (realm), comment, and tags are shown in the information pane by default. Comment and tags can be modified. If you do not want to view the details in the panel on the right, click .

  • Search for records in BloxOne DDI according to a specific keyword: Type the keyword in the Search text box. 

  • Filter the objects by Principal, Domain, Version, Algorithm, Comments, or Tags:  Click .  To save a filter after selecting the required parameters click , specify a name for the filter, and click Save & Close. To reload a previously saved filter, click  and select the required filter. 

You can perform the following actions:


  • No labels