The DNSSEC algorithm for digital signatures is not RSASHA1.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-14760 | DNS4650 | SV-15517r2_rule | ECSC-1 | Low |
| Description |
|---|
| Due to its wide availability and performance, RSASHA1 is the preferred algorithm for zone signatures. |
| STIG | Date |
|---|---|
| BIND DNS | 2013-01-10 |
Details
| Check Text ( C-43440r4_chk ) |
|---|
| This rule is only applicable to DNS servers using DNSSEC. If DNSSEC is not enabled, then this is N/A. Instruction: Examine the DNSKEY record in the zone file. The seventh field will contain a number representing the algorithm used to generate the key. Here is an example: example.com. 86400 IN DNSKEY 256 3 5 aghaghnl;knatnjkga;agn;g’a If this number is not a five, then this is a finding. |
| Fix Text (F-14237r1_fix) |
|---|
| Generate a new key pair and update the DNSKEY record with the following: # dnssec-keygen –n ZONE –a RSASHA1 –b 2048 example.com |