The secondary name servers in a BIND 9.x implementation must be configured to disable zone update notifications.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-72411 | BIND-9X-001058 | SV-87035r1_rule | Low |
| Description |
|---|
| It is important to maintain the integrity of a zone file. The serial number of the SOA record is used to indicate to secondary name server that a change to the zone has occurred and a zone transfer should be performed. The serial number used in the SOA record provides the DNS administrator a method to verify the integrity of the zone file based on the serial number of the last update and ensure that all slave servers are using the correct zone file. |
| STIG | Date |
|---|---|
| BIND 9.x Security Technical Implementation Guide | 2017-05-26 |
Details
| Check Text ( C-72615r1_chk ) |
|---|
| If this is a master name server, this is Not Applicable. On a secondary name server, verify that the name sever is configured to disable zone update notifications. Inspect the "named.conf" file for the following: options { notify no; }; If the "notify" statement is missing, this is a finding. If the "notify" statement is set to "yes", this is a finding. Inspect each zone statement for the following: zone example.com { allow-notify { none; }; If the "allow-notify" statement is missing, this is a finding. If the "allow-notify" statement is not configured to "none", this is a finding. |
| Fix Text (F-78767r1_fix) |
|---|
| Configure the "notify" sub statement in the "options" statement block to "no": options { notify no; }; Configure the "allow-notify" sub statement in the zone statement block to disallow zone transfer notifications to authorized secondary name servers: zone example.com { allow-notify { none; }; Restart the BIND 9.x process |