UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The DNSSEC algorithm for digital signatures is not RSASHA1.


Overview

Finding ID Version Rule ID IA Controls Severity
V-14760 DNS4650 SV-15517r2_rule ECSC-1 Low
Description
Due to its wide availability and performance, RSASHA1 is the preferred algorithm for zone signatures.
STIG Date
BIND DNS 2013-01-10

Details

Check Text ( C-43440r4_chk )
This rule is only applicable to DNS servers using DNSSEC.
If DNSSEC is not enabled, then this is N/A.

Instruction: Examine the DNSKEY record in the zone file. The seventh field will contain a number representing the algorithm used to generate the key.

Here is an example:

example.com. 86400 IN DNSKEY 256 3 5 aghaghnl;knatnjkga;agn;g’a

If this number is not a five, then this is a finding.
Fix Text (F-14237r1_fix)
Generate a new key pair and update the DNSKEY record with the following:
# dnssec-keygen –n ZONE –a RSASHA1 –b 2048 example.com