UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The DNSSEC key signing key is not at least 2048 bits.


Overview

Finding ID Version Rule ID IA Controls Severity
V-14761 DNS4660 SV-15518r2_rule ECSC-1 Low
Description
The choice of key size is a tradeoff between the risk of key compromise and performance. The performance variables are signature generation and verification times. The size of the DNS response packet also is a factor because DNSKEY RRs may be sent in the additional section of the DNS response. Because the KSK is used only for signing the key set (DNSKEY RRSet), performance is not much of an issue. Compromise of a KSK could have a great impact, however, because the KSK is the entry point key for a zone. Rollover of a KSK in the event of a compromise involves potential update of trust anchors in many validating resolvers. Hence, a large key size is recommended for the KSK. A large key size decreases the chances of the key compromise and avoids the need for frequent rollovers as each rollover requires administrative monitoring and follow-up action.
STIG Date
BIND DNS 2013-01-10

Details

Check Text ( C-43443r2_chk )
This rule is only applicable to DNS servers using DNSSEC.
If DNSSEC is not enabled, then this is N/A.

Instruction: Examine the public key record type DNSKEY in the zone file. The actual key contained in the file utilizing the RSA algorithm and a key size of 2048 bits will contain 351 characters. If the key does not appear to contain at 351 characters, then this is a finding.
Fix Text (F-14238r1_fix)
Generate a new key pair and update the DNSKEY record with the following:
# dnssec-keygen –n ZONE –a RSA –b 2048 example.com