Skip to main content

TSIG key management

Overview

This guide provides detailed instructions for TSIG key management, covering both targeted and comprehensive actions.

Targeted actions include:

Comprehensive actions include listing all available TSIG keys.

Benefits

TSIG key management safeguards the integrity and security of DNS communications. By signing each transaction with a unique key, DigiCert®​​ DNS ensures trusted, authenticated interactions that meet regulatory and compliance requirements. The platform enables cryptographic authentication for DNS transactions, allowing only authorized parties to initiate updates or transfers. Support for dynamic DNS updates and secure zone transfers automates critical changes and protects data in transit. Centralized management provides fine-grained access control and full visibility, reducing unauthorized changes, simplifying troubleshooting, and improving system reliability.

Procedures

Create a new TSIG key

Aviso

This procedure creates a TSIG key (tsigkey) that will be updated and deleted in subsequent procedures. To apply this TSIG key, follow the procedure for updating the settings of a primary domain or a secondary domain.

To test this function, call this API endpoint: POST /tsig

  1. Sign in to your DigiCert®​​ DNS account.

  2. From the landing page, go to the left sidebar and select DNS > Configurations.

  3. In the TSIG KEYS tab, select the Add TSIG Key button.

  4. In the Add TSIG Key dialog:

    1. Enter a name in the Name field (for example, tsigkey).

    2. From the Algorithm drop-down list, select a type:

      • HMAC-SHA224: Ideal for environments with strict size constraints or legacy systems requiring shorter digest lengths.

      • HMAC-SHA256: Ideal for general-purpose use, offering a strong balance of performance and security; widely supported and recommended for most configurations.

      • HMAC-SHA384: Ideal for systems requiring a higher security level than SHA256, with slightly increased computational overhead.

      • HMAC-SHA512: Ideal for high-security environments where maximum integrity and collision resistance are required, especially in modern systems with sufficient processing capacity.

    3. In the Secret field, enter a secret key manually or select Auto-Generate Key to create one automatically.

      Sugerencia

      Selecting Auto-Generate Key will either populate an empty field or replace an existing secret key. You can auto-generate as often as needed; however, if the algorithm type is changed, a new secret key must be provided.

    4. Select Save to finish.

      A message appears confirming the successful creation of the TSIG key.

Delete a specific TSIG key

Aviso

This procedure deletes a specific TSIG key (tsigkey) created in an earlier procedure. You can follow either Path 1 or Path 2 to complete the deletion.

To test this function, call this API endpoint: DELETE /tsig/{tsigId}

Path 1

  1. Sign in to your DigiCert®​​ DNS account.

  2. From the landing page, go to the left sidebar and select DNS > Configurations.

  3. In the TSIG KEYS tab, at the end of the row of the TSIG key you want to delete, select the trash icon.

  4. In the Confirm Deletion dialog, select Confirm.

    A message appears confirming the successful deletion of the TSIG key.

Path 2

  1. Sign in to your DigiCert®​​ DNS account.

  2. From the landing page, go to the left sidebar and select DNS > Configurations.

  3. In the TSIG KEYS tab, select the checkbox of the TSIG key you want to delete.

    Sugerencia

    You can select multiple checkboxes to delete several TSIG keys at once.

  4. Select Delete at the top of the table.

  5. In the Confirm Deletion dialog, select Confirm.

    A message appears confirming the successful deletion of the TSIG key.

List all available TSIG keys

Aviso

This procedure displays all TSIG keys created by the user.

To test this function, call this API endpoint: GET /tsig

  1. Sign in to your DigiCert®​​ DNS account.

  2. From the landing page, go to the left sidebar and select DNS > Configurations.

  3. Select the TSIG KEYS tab.

    The table displays all the TSIG keys associated with the account.

    Sugerencia

    Use Columns and Filters to customize your view of the results.

Return the details of a specific TSIG key

Aviso

This procedure displays the details of a specific TSIG key (tsigkey) created in an earlier procedure. Follow Path 1 if there are only a few results to review. Follow Path 2 if you prefer to filter results quickly.

To test this function, call this API endpoint: GET /tsig/{tsigId}

Path 1

  1. Sign in to your DigiCert®​​ DNS account.

  2. From the landing page, go to the left sidebar and select DNS > Configurations.

  3. Select the TSIG KEYS tab.

    The table displays all the TSIG keys associated with the account.

  4. Locate the TSIG key you want to view (for example, tsigkey).

  5. Select Columns at the top of the results table, then select all the checkboxes to ensure that all TSIG key information is displayed.

Path 2

  1. Sign in to your DigiCert®​​ DNS account.

  2. From the landing page, go to the left sidebar and select DNS > Configurations.

  3. Select the TSIG KEYS tab.

    The table displays all the TSIG keys associated with the account.

  4. Select Filters at the top of the results table to locate the specific TSIG key quickly.

    Sugerencia

    In this example, the name of the TSIG key is known, so the following filter was applied:

    1. Under Column, select Name.

    2. Under Operator, select contains.

    3. Under Value, enter the TSIG key's name (tsigkey).

      If no results appear, double-check the Filters selections and input values.

  5. Select Columns at the top of the results table, then select all the checkboxes to ensure that all TSIG key information is displayed.

Update a specific TSIG key

Aviso

This procedure updates a specific TSIG key (tsigkey) created in an earlier procedure.

To test this function, call this API endpoint: PUT /tsig/{tsigId}

  1. Sign in to your DigiCert®​​ DNS account.

  2. From the landing page, go to the left sidebar and select DNS > Configurations.

  3. Select the TSIG KEYS tab.

    The table displays all the TSIG keys associated with the account.

  4. Locate the TSIG key you want to update - see Path 2 for quick filtering.

  5. Select the name of the TSIG key (for example, tsigkey).

  6. In the Edit TSIG Key dialog:

    1. Edit the TSIG key's details as required.

      Sugerencia

      Selecting Auto-Generate Key will replace the existing secret key. You can auto-generate as often as needed; however, if the algorithm type is changed, a new secret key must be provided.

    2. Select Save to finish.

      A message appears confirming the successful update of the TSIG key.

En esta sección: