UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

A BIND 9.x server validity period for the RRSIGs covering a zones DNSKEY RRSet must be no less than two days and no more than one week.


Overview

Finding ID Version Rule ID IA Controls Severity
V-72501 BIND-9X-001600 SV-87125r2_rule Medium
Description
The best way for a zone administrator to minimize the impact of a key compromise is by limiting the validity period of RRSIGs in the zone and in the parent zone. This strategy limits the time during which an attacker can take advantage of a compromised key to forge responses. An attacker that has compromised a ZSK can use that key only during the KSK's signature validity interval. An attacker that has compromised a KSK can use that key for only as long as the signature interval of the RRSIG covering the DS RR in the delegating parent. These validity periods should be short, which will require frequent re-signing.
STIG Date
BIND 9.x Security Technical Implementation Guide 2019-12-18

Details

Check Text ( C-72703r2_chk )
If the server is in a classified network, this is Not Applicable.

With the assistance of the DNS Administrator, identify the RRSIGs that cover the DNSKEY resource record set for each zone.

Each record will list an expiration and inception date, the difference of which will provide the validity period.

The dates are listed in the following format:

YYYYMMDDHHMMSS

For each RRSIG identified, verify that the validity period is no less than two days and is no longer than seven days.

If the validity period is outside of the specified range, this is a finding.
Fix Text (F-78857r1_fix)
Resign each zone that is outside of the validity period.

Restart the BIND 9.x process.