TSIG
E192672
TSIG (Transaction SIGnature) is a security protocol used in DNS to authenticate and protect DNS messages between servers using shared secret keys and message authentication codes.
All labels observed (1)
| Label | Occurrences |
|---|---|
| TSIG canonical | 1 |
How this entity was disambiguated
This entity first appeared as the object of triple T1712058 — resolving that mention is where its identity was fixed. The disambiguator weighed these candidate entities and picked the highlighted one (or “None”, minting a new entity). This is how homonymy is resolved: the same surface form can point to different entities.
Target entity: TSIG Context triple: [DNSSEC, relatedStandard, TSIG]
-
A.
DNSSEC
DNSSEC (Domain Name System Security Extensions) is a suite of specifications that adds cryptographic authentication and integrity protection to DNS data to prevent attacks such as cache poisoning and spoofing.
-
B.
Kerberos
Kerberos is a small, irregularly shaped moon of Pluto discovered in 2011 as part of the Pluto system’s complex family of satellites.
-
C.
Kerberos
Kerberos is a network authentication protocol that uses secret-key cryptography to securely verify the identity of users and services in distributed systems.
-
D.
DNSSEC ZSK
DNSSEC ZSK (Zone Signing Key) is the cryptographic key used in DNS Security Extensions to sign individual DNS zone data, ensuring the authenticity and integrity of DNS responses.
-
E.
DNSSEC root key signing ceremony
The DNSSEC root key signing ceremony is a highly controlled, regularly scheduled cryptographic event where trusted personnel generate and manage the root cryptographic keys that secure the global Domain Name System.
- F. None of above. chosen
- G. Unsure - the case is ambiguous/there is not enough information to decide.
Target entity: TSIG Target entity description: TSIG (Transaction SIGnature) is a security protocol used in DNS to authenticate and protect DNS messages between servers using shared secret keys and message authentication codes.
-
A.
DNSSEC
DNSSEC (Domain Name System Security Extensions) is a suite of specifications that adds cryptographic authentication and integrity protection to DNS data to prevent attacks such as cache poisoning and spoofing.
-
B.
Kerberos
Kerberos is a small, irregularly shaped moon of Pluto discovered in 2011 as part of the Pluto system’s complex family of satellites.
-
C.
Kerberos
Kerberos is a network authentication protocol that uses secret-key cryptography to securely verify the identity of users and services in distributed systems.
-
D.
DNSSEC ZSK
DNSSEC ZSK (Zone Signing Key) is the cryptographic key used in DNS Security Extensions to sign individual DNS zone data, ensuring the authenticity and integrity of DNS responses.
-
E.
DNSSEC root key signing ceremony
The DNSSEC root key signing ceremony is a highly controlled, regularly scheduled cryptographic event where trusted personnel generate and manage the root cryptographic keys that secure the global Domain Name System.
- F. None of above. chosen
Statements (48)
| Predicate | Object |
|---|---|
| instanceOf |
DNS security protocol
ⓘ
authentication mechanism ⓘ |
| authenticationModel | symmetric key ⓘ |
| category |
DNS authentication
ⓘ
network security protocol ⓘ |
| definedIn | RFC 2845 ⓘ |
| differenceFrom |
DNSSEC uses public key cryptography
ⓘ
TSIG uses shared symmetric keys ⓘ |
| errorHandling | uses TSIG error codes in DNS responses ⓘ |
| fullName | Transaction SIGnature ⓘ |
| implementedBy |
BIND
ⓘ
Knot DNS ⓘ Windows Server ⓘ
surface form:
Microsoft DNS Server
NSD ⓘ PowerDNS ⓘ |
| includes |
MAC over DNS header and data
ⓘ
timestamp in signature ⓘ |
| keyManagement | manually configured shared secrets ⓘ |
| positionInMessage | additional section of DNS message ⓘ |
| protects | DNS messages between servers ⓘ |
| provides |
integrity protection
ⓘ
message authentication ⓘ protection against spoofed DNS messages ⓘ |
| recordClass | ANY ⓘ |
| recordType | TSIG RR ⓘ |
| relatedTo | DNSSEC ⓘ |
| reliesOn | time-based signatures ⓘ |
| representedAs | DNS resource record ⓘ |
| requires | pre-shared key configuration on both DNS peers ⓘ |
| scope |
DNS zone transfers
ⓘ
dynamic DNS updates ⓘ server-to-server DNS communication ⓘ |
| securityProperty |
does not provide confidentiality
ⓘ
helps prevent replay attacks via timestamps ⓘ protects against message tampering ⓘ |
| standardizedBy |
Internet Engineering Task Force
ⓘ
surface form:
IETF
|
| status | widely implemented in DNS servers ⓘ |
| supports |
HMAC-MD5
ⓘ
HMAC-SHA1 ⓘ HMAC ⓘ
surface form:
HMAC-SHA256
|
| usedFor |
securing AXFR zone transfers
ⓘ
securing IXFR zone transfers ⓘ securing dynamic updates (RFC 2136) ⓘ |
| usedIn | Domain Name System ⓘ |
| uses |
HMAC
ⓘ
MAC over DNS message ⓘ message authentication codes ⓘ shared secret keys ⓘ |
How these facts were elicited
The pipeline generated the facts above by prompting gpt-5.1 with this entity's name + description and the instruction below.
You are a knowledge base construction expert. Given a subject entity and a description of it, return factual statements that you know for the subject as a JSON list of dictionaries(triples), where keys must be "subject", "predicate" and "object". The number of facts may be very high, between 25 to 50 or more, for very popular subjects. For less popular subjects, the number of facts can be very low, like 5 or 10. # Requirements - If you don't know the subject at all, return an empty list. - If the subject is not a named entity, return an empty list. - Include at least one triple where predicate is "instanceOf". - Do not get too wordy. - Separate several objects into multiple triples with one object.
Subject: TSIG Description of subject: TSIG (Transaction SIGnature) is a security protocol used in DNS to authenticate and protect DNS messages between servers using shared secret keys and message authentication codes.
Referenced by (1)
Full triples — surface form annotated when it differs from this entity's canonical label.