Secret Key Transaction Authentication for DNS (TSIG)

Approval announcement
Draft of message to be sent after approval:

From: The IESG <>
To: IETF-Announce <>
Cc:,,,,, The IESG <>,, Benno Overeinder <>
Subject: Protocol Action: 'Secret Key Transaction Authentication for DNS (TSIG)' to Internet Standard (draft-ietf-dnsop-rfc2845bis-09.txt)

The IESG has approved the following document:
- 'Secret Key Transaction Authentication for DNS (TSIG)'
  (draft-ietf-dnsop-rfc2845bis-09.txt) as Internet Standard

This document is the product of the Domain Name System Operations Working

The IESG contact persons are Warren Kumari and Robert Wilton.

A URL of this Internet Draft is:

Technical Summary

This document describes a protocol for DNS for transaction level
authentication using shared secrets and one way hashing.  It can be
used to authenticate dynamic DNS updates as coming from an approved
client, or to authenticate responses as coming from an approved DNS
name server.

No recommendation is made here for distributing the shared secrets: it
is expected that a network administrator will statically configure
name servers and clients using some out of band mechanism.

The draft obsoletes RFC2845 and RFC4635.

Working Group Summary

The draft updates RFC2845, because due to some ambiguity in the
wording of the document, different implementations made decisions that
caused operational problems, see also Section 1.3.  The draft was
swiftly adopted to become a DNSOP WG document.  After WG adoption, the
authors of the original RFC2845 have also been added to the author
list.  The WG stated that the document was not just an errata, but a
bis, so the document could improve the readability and wording of the
protocol specification.

Document Quality

A recent implementation of RFC2845 used the rfc2845bis draft to
implement TSIG.  The new draft document is much clearer and offers
better implementation guidance than the original.  RFC2845 is
implemented by all known open source DNS name servers and, as far as
the shepherd knows, all commercial DNS name servers (not knowing for
proprietary name servers).

The implementer (Martin Hoffmann, NLnet Labs) has provided good
feedback to improve the text of the rfc2845bis draft and to reorganize
some sections.  Other feedback from the working group has also been


Document Shepherd: Benno Overeinder
Responsible Area Director: Warren Kumari