The master servers in a BIND 9.x implementation must notify authorized secondary name servers when zone files are updated.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-72409	BIND-9X-001057	SV-87033r2_rule		Low

Description
It is important to maintain the integrity of a zone file. The serial number of the SOA record is used to indicate to secondary name server that a change to the zone has occurred and a zone transfer should be performed. The serial number used in the SOA record provides the DNS administrator a method to verify the integrity of the zone file based on the serial number of the last update and ensure that all slave servers are using the correct zone file.

Description

It is important to maintain the integrity of a zone file. The serial number of the SOA record is used to indicate to secondary name server that a change to the zone has occurred and a zone transfer should be performed. The serial number used in the SOA record provides the DNS administrator a method to verify the integrity of the zone file based on the serial number of the last update and ensure that all slave servers are using the correct zone file.

STIG	Date
BIND 9.x Security Technical Implementation Guide	2017-05-26

Details

Check Text ( C-72613r2_chk )
If this is a secondary name server, this is Not Applicable. On a master name server, verify that the global notify is disabled: Inspect the "named.conf" file for the following: options { notify no; }; If the "notify" statement is missing this is a finding. If the "notify" statement is set to "yes", this is a finding. Verify that each zone is configured to notify authorized secondary name servers when a zone file has been updated: Inspect the "named.conf" file for the following: zone example.com { notify explicit; also-notify { ; \| ; }; If an "address match list" is used, verify that each ip address listed is an authorized secondary name server for that zone. If the “notify explicit” statement is missing, this is a finding. If the "also-notify" statement is missing, this is a finding. If the "also-notify" statement is configured to notify name servers that are not authorized for that zone, this is a finding.

Check Text ( C-72613r2_chk )

If this is a secondary name server, this is Not Applicable.

On a master name server, verify that the global notify is disabled:

Inspect the "named.conf" file for the following:

options {
notify no;
};

If the "notify" statement is missing this is a finding.

If the "notify" statement is set to "yes", this is a finding.

Verify that each zone is configured to notify authorized secondary name servers when a zone file has been updated:

Inspect the "named.conf" file for the following:

zone example.com {
notify explicit;
also-notify { ; | ; };

If an "address match list" is used, verify that each ip address listed is an authorized secondary name server for that zone.

If the “notify explicit” statement is missing, this is a finding.

If the "also-notify" statement is missing, this is a finding.

If the "also-notify" statement is configured to notify name servers that are not authorized for that zone, this is a finding.

Fix Text (F-78765r2_fix)
Edit the "named.conf" file. Configure the "notify" sub statement in the "options" statement block to "no": options { notify no; }; Configure the “notify explicit” and "also-notify" sub statements in the zone statement block to limit zone transfer notifications to authorized secondary name servers: zone example.com { notify explicit; also-notify { ; \| ; }; Restart the BIND 9.x process