The BIND 9.x server signature generation using the KSK must be done off-line, using the KSK-private key stored off-line.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-207576	BIND-9X-001150	SV-207576r612253_rule		High

Description
The private key in the KSK key pair must be protected from unauthorized access. The private key should be stored off-line (with respect to the Internet-facing, DNSSEC-aware name server) in a physically secure, non-network-accessible machine along with the zone file master copy. Failure to protect the private KSK may have significant effects on the overall security of the DNS infrastructure. A compromised KSK could lead to an inability to detect unauthorized DNS zone data resulting in network traffic being redirected to a rogue site.

Description

The private key in the KSK key pair must be protected from unauthorized access. The private key should be stored off-line (with respect to the Internet-facing, DNSSEC-aware name server) in a physically secure, non-network-accessible machine along with the zone file master copy. Failure to protect the private KSK may have significant effects on the overall security of the DNS infrastructure. A compromised KSK could lead to an inability to detect unauthorized DNS zone data resulting in network traffic being redirected to a rogue site.

STIG	Date
BIND 9.x Security Technical Implementation Guide	2021-06-23

Details

Check Text ( C-7831r283782_chk )
If the server is in a classified network, this is Not Applicable. Ensure that there are no private KSKs stored on the name sever. With the assistance of the DNS Administrator, obtain a list of all DNSSEC private keys that are stored on the name server. Inspect the signed zone files(s) and look for the KSK key id: DNSKEY 257 3 8 ( Verify that none of the identified private keys, are KSKs. An example private KSK would look like the following: Kexample.com.+008+52807.private If there are private KSKs stored on the name server, this is a finding.

Check Text ( C-7831r283782_chk )

If the server is in a classified network, this is Not Applicable.

Ensure that there are no private KSKs stored on the name sever.

With the assistance of the DNS Administrator, obtain a list of all DNSSEC private keys that are stored on the name server.

Inspect the signed zone files(s) and look for the KSK key id:

DNSKEY 257 3 8 (
Verify that none of the identified private keys, are KSKs.

An example private KSK would look like the following:

Kexample.com.+008+52807.private

If there are private KSKs stored on the name server, this is a finding.

Fix Text (F-7831r283783_fix)
Remove all private KSKs from the name server and ensure that they are stored offline in a secure location.