Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The DNSSEC algorithm for digital signatures is not RSASHA1.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-14760 | DNS4650 | SV-15517r2_rule | ECSC-1 | Low |
| Description |
|---|
| Due to its wide availability and performance, RSASHA1 is the preferred algorithm for zone signatures. |
| STIG | Date |
|---|---|
| BIND DNS | 2013-04-12 |
Details
| Check Text ( C-43440r4_chk ) |
|---|
| This rule is only applicable to DNS servers using DNSSEC. If DNSSEC is not enabled, then this is N/A. Instruction: Examine the DNSKEY record in the zone file. The seventh field will contain a number representing the algorithm used to generate the key. Here is an example: example.com. 86400 IN DNSKEY 256 3 5 aghaghnl;knatnjkga;agn;g’a If this number is not a five, then this is a finding. |
| Fix Text (F-14237r1_fix) |
|---|
| Generate a new key pair and update the DNSKEY record with the following: # dnssec-keygen –n ZONE –a RSASHA1 –b 2048 example.com |