UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The BIND 9.x server implementation must utilize separate TSIG key-pairs when securing server-to-server transactions.


Overview

Finding ID Version Rule ID IA Controls Severity
V-72431 BIND-9X-001106 SV-87055r1_rule Medium
Description
Server-to-server (zone transfer) transactions are provided by TSIG, which enforces mutual server authentication using a key that is unique to each server pair (TSIG), thus uniquely identifying the other server. Enforcing separate TSIG key-pairs provides another layer of protection for the BIND implementation in the event that a TSIG key is compromised. This additional layer of security provides the DNS administrators with the ability to change a compromised TSIG key with a minimal disruption to DNS operations. Failure to identify devices and authenticate devices can lead to malicious activity, such as a Man-In-The-Middle attack where an attacker could pose as an authorized name server, and redirect legitimate customers to malicious websites. A failure on this part could also lead to a Denial of Service of any and all DNS services provided to an organizations network infrastructure.
STIG Date
BIND 9.x Security Technical Implementation Guide 2018-04-03

Details

Check Text ( C-72631r1_chk )
Verify that the BIND 9.x server is configured to utilize separate TSIG key-pairs when securing server-to-server transactions.
Inspect the "named.conf" file for the presence of TSIG key statements:

On the master name server, this is an example of a configured key statement:

key tsig_example. {
algorithm hmac-SHA1;
include "tsig-example.key";
};

zone "disa.mil" {
type master;
file "db.disa.mil";
allow-transfer { key tsig_example.; };
};

On the slave name server, this is an example of a configured key statement:

key tsig_example. {
algorithm hmac-SHA1;
include "tsig-example.key";
};

server {
keys { tsig_example };
};

zone "disa.mil" {
type slave;
masters { ; };
file "db.disa.mil";
};

Verify that each TSIG key-pair listed is only used by a single key statement:
# cat

If any TSIG key-pair is being used by more than one key statement, this is a finding.
Fix Text (F-78783r1_fix)
Create a separate TSIG key-pair for each key statement listed in the named.conf file.

Configure the name server to utilize separate TSIG key-pairs for each key statement listed in the named.conf file.

Restart the BIND 9.x process.