The DNSSEC zone signing key size is not at least 1024 bits.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-14764	DNS4680	SV-15521r2_rule	ECSC-1	Low

Description
As far as the choice of key size for the ZSK is concerned, performance certainly will be a factor because the ZSK is used for signing all RRsets in the zone. In terms of impact, however, it is restricted to just a single zone because the ZSKs usage is limited to signing RRsets only for that zone but not for providing authenticated delegation for a child zone. Hence, a key size smaller than that for the KSK can be used for the ZSK.

Description

As far as the choice of key size for the ZSK is concerned, performance certainly will be a factor because the ZSK is used for signing all RRsets in the zone. In terms of impact, however, it is restricted to just a single zone because the ZSKs usage is limited to signing RRsets only for that zone but not for providing authenticated delegation for a child zone. Hence, a key size smaller than that for the KSK can be used for the ZSK.

STIG	Date
BIND DNS	2013-01-10

Details

Check Text ( C-43445r2_chk )
This rule is only applicable to DNS servers using DNSSEC. If DNSSEC is not enabled, then this is N/A. BIND Instruction: Examine the public key record type DNSKEY in the zone file. The actual key contained in the file utilizing the RSA algorithm and key size of 1024 bits will contain 180 characters. If the key does not appear to contain at 180 characters, then this is a finding.

Fix Text (F-14240r1_fix)
Generate a new key pair and update the DNSKEY record with the following: # dnssec-keygen –n ZONE –a RSA –b 1024 example.com