1.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") 2.. 3.. SPDX-License-Identifier: MPL-2.0 4.. 5.. This Source Code Form is subject to the terms of the Mozilla Public 6.. License, v. 2.0. If a copy of the MPL was not distributed with this 7.. file, you can obtain one at https://mozilla.org/MPL/2.0/. 8.. 9.. See the COPYRIGHT file distributed with this work for additional 10.. information regarding copyright ownership. 11 12TKEY 13---- 14 15TKEY (Transaction KEY) is a mechanism for automatically negotiating a 16shared secret between two hosts, originally specified in :rfc:`2930`. 17 18There are several TKEY "modes" that specify how a key is to be generated 19or assigned. BIND 9 implements only one of these modes: Diffie-Hellman 20key exchange. Both hosts are required to have a KEY record with 21algorithm DH (though this record is not required to be present in a 22zone). 23 24The TKEY process is initiated by a client or server by sending a query 25of type TKEY to a TKEY-aware server. The query must include an 26appropriate KEY record in the additional section, and must be signed 27using either TSIG or SIG(0) with a previously established key. The 28server's response, if successful, contains a TKEY record in its 29answer section. After this transaction, both participants have 30enough information to calculate a shared secret using Diffie-Hellman key 31exchange. The shared secret can then be used to sign subsequent 32transactions between the two servers. 33 34TSIG keys known by the server, including TKEY-negotiated keys, can be 35listed using :option:`rndc tsig-list`. 36 37TKEY-negotiated keys can be deleted from a server using 38:option:`rndc tsig-delete`. This can also be done via the TKEY protocol 39itself, by sending an authenticated TKEY query specifying the "key 40deletion" mode. 41