Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-14760 | DNS4650 | SV-15517r2_rule | ECSC-1 | Low |
Description |
---|
Due to its wide availability and performance, RSASHA1 is the preferred algorithm for zone signatures. |
STIG | Date |
---|---|
BIND DNS | 2013-01-10 |
Check Text ( C-43440r4_chk ) |
---|
This rule is only applicable to DNS servers using DNSSEC. If DNSSEC is not enabled, then this is N/A. Instruction: Examine the DNSKEY record in the zone file. The seventh field will contain a number representing the algorithm used to generate the key. Here is an example: example.com. 86400 IN DNSKEY 256 3 5 aghaghnl;knatnjkga;agn;g’a If this number is not a five, then this is a finding. |
Fix Text (F-14237r1_fix) |
---|
Generate a new key pair and update the DNSKEY record with the following: # dnssec-keygen –n ZONE –a RSASHA1 –b 2048 example.com |