TSIG is short for Transaction SIGnature. It uses symmetric signatures to authenticate updates to the DNS database. It is most commonly used for dynamic DNS (RFC2136) and zone transfers to slave name servers.

Supported Operation Modes

Zone Transfers

TSIG keys can be used to authenticate zone transfers from our DNS system to your own slave name servers. This is called an outgoing zone transfer.


You can simply test if a zone transfer with TSIG works. This will transfer the zone example.org with a key named example.org-test.

dig -t AXFR example.org @ns1.lightningwirelabs.com -y "example.org-test:++rp5VC4iHl96f5R8Pd/Aw=="

DNS Update (RFC2136)

You can also use TSIG keys to authenticate DNS updates. The most common usage is to let your DHCP server update the DNS records on a public name server.


Click here to find out which algorihtms are supported with TSIG.