Share via

Does windows DNS support "HMAC-TSIG"? Either in AD or on a stand-alone DNS server (secondary zone)?

PETER DONOHUE 0 Reputation points
2026-06-09T14:17:56.2033333+00:00

We are trying to deploy ACME certificate management, and my application side of the house is wanting to test with HMAC-TSIG and from what I see it is not supported on a DC, but we have a secondary zone server not running AD; will HMAC-TSIG work in this scenario?

Windows for business | Windows Server | Devices and deployment | Other
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marcin Policht 92,045 Reputation points MVP Volunteer Moderator
    2026-06-09T14:44:08.72+00:00

    Unfortunately, AFAIK, this is not supported. Windows DNS natively uses GSS-TSIG, which relies on Kerberos and the Active Directory environment to securely negotiate keys and authenticate dynamic updates.

    As a workaround, you can potentially try the following:

    • Secure by IP Access Control Lists (ACLs) - Instead of cryptographic transaction signatures, restrict zone transfers strictly by target IP addresses. On the Windows primary zone, configure Zone Transfers to "Only to the following servers" and explicitly type the IP addresses of your non-Windows secondary nodes.
    • Network-Layer Security (IPsec) - if the zone data must be authenticated or encrypted over transit networks, handle the security at the packet layer instead of the application layer.

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.