UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The DNS administrator, when implementing DNSSEC, will create and maintain separate key-pairs for key signing and zone signing.


Overview

Finding ID Version Rule ID IA Controls Severity
V-14759 DNS4640 SV-15516r2_rule ECSC-1 Low
Description
DNSSEC specifies generation and verification of digital signatures using asymmetric keys. This requires generation of a public key-private key pair. Although the DNSSEC specification does not call for different keys (just one key pair), experience from pilot implementations suggests that for easier routine security administration operations such as key rollover (changing of keys) and zone re-signing, at least two different types of keys are needed.
STIG Date
BIND DNS 2013-01-10

Details

Check Text ( C-43441r2_chk )
This rule is only applicable to DNS servers using DNSSEC.
If DNSSEC is not enabled, then this is N/A.

Instruction: : Examine the DNSKEY records in the zone file. At least two should exist and display different keys in the eighth field. If at least two different keys are not displayed, this is a finding.

example.com. 86400 IN DNSKEY 256 3 1 aghaghnl;knatnjkga;agn;g’a

example.com. 86400 IN DNSKEY 256 3 1 qrupotqtuipqtiqptouqptuqvi1
Fix Text (F-14237r1_fix)
Generate a new key pair and update the DNSKEY record with the following:
# dnssec-keygen –n ZONE –a RSASHA1 –b 2048 example.com