UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The BIND 9.X implementation must not utilize a TSIG or DNSSEC key for more than one year.


Overview

Finding ID Version Rule ID IA Controls Severity
V-72443 BIND-9X-001113 SV-87067r2_rule Medium
Description
Cryptographic keys are the backbone of securing DNS information over the wire, maintaining DNS data integrity, and the providing the ability to validate DNS information that is received. When a cryptographic key is utilized by a DNS server for a long period of time, the likelihood of compromise increases. A compromised key set would allow an attacker to intercept and possibly inject comprised data into the DNS server. In this compromised state, the DNS server would be vulnerable to DoS attacks, as well as being vulnerable to becoming a launching pad for further attacks on an organizations network.
STIG Date
BIND 9.x Security Technical Implementation Guide 2018-01-02

Details

Check Text ( C-72645r2_chk )
With the assistance of the DNS Administrator, identify all of the cryptographic key files used by the BIND 9.x implementation.

With the assistance of the DNS Administrator, determine the location of the cryptographic key files used by the BIND 9.x implementation.

# ls –al
-rw-------. 1 named named 76 May 10 20:35 crypto-example.key

If the server is in a classified network, the DNSSEC portion of the requirement is Not Applicable.

For DNSSEC Keys:
Verify that the “Created” date is less than one year from the date of inspection:

Note: The date format will be displayed in YYYYMMDDHHMMSS.

# cat | grep -i “created”
Created: 20160704235959

If the “Created” date is more than one year old, this is a finding.

For TSIG Keys:

Verify with the ISSO/ISSM that the TSIG keys are less than one year old.

If a TSIG key is more than one year old, this is a finding.
Fix Text (F-78797r1_fix)
Generate new DNSSEC and TSIG keys.

For DNSSEC keys:

Use the newly generated keys to resign all of the zone files on the name server.

For TSIG keys:

Update the named.conf file with the new keys.

Restart the BIND 9.X process.