Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-14764 | DNS4680 | SV-15521r2_rule | ECSC-1 | Low |
Description |
---|
As far as the choice of key size for the ZSK is concerned, performance certainly will be a factor because the ZSK is used for signing all RRsets in the zone. In terms of impact, however, it is restricted to just a single zone because the ZSKs usage is limited to signing RRsets only for that zone but not for providing authenticated delegation for a child zone. Hence, a key size smaller than that for the KSK can be used for the ZSK. |
STIG | Date |
---|---|
BIND DNS | 2013-01-10 |
Check Text ( C-43445r2_chk ) |
---|
This rule is only applicable to DNS servers using DNSSEC. If DNSSEC is not enabled, then this is N/A. BIND Instruction: Examine the public key record type DNSKEY in the zone file. The actual key contained in the file utilizing the RSA algorithm and key size of 1024 bits will contain 180 characters. If the key does not appear to contain at 180 characters, then this is a finding. |
Fix Text (F-14240r1_fix) |
---|
Generate a new key pair and update the DNSKEY record with the following: # dnssec-keygen –n ZONE –a RSA –b 1024 example.com |