UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The DNS software administrator has not utilized at least 160 bit HMAC-SHA1 keys if available.


Overview

Finding ID Version Rule ID IA Controls Severity
V-4493 DNS0705 SV-4493r1_rule DCNR-1 Low
Description
SHA-1 is the algorithm currently specified in the National Institute of Standards and Technology's (NISTs) Secure Hashing Standard (FIPS 180-1) and required throughout DoD. HMAC-MD5 will be replaced with HMAC-SHA1 or higher when available for DNS TSIG applications. In general, only NIST or National Security Agency (NSA) approved algorithms should be utilized in the DoD computing infrastructure. The US Government currently requires SHA-1 for hashing applications. It is considered an improvement over MD5, for which there are known instances of collisions.
STIG Date
BIND DNS 2013-04-12

Details

Check Text ( C-3374r1_chk )
There is to be a properly configured key statement located in the named.conf file.

BIND now supports HMAC-SHA1 and organizations are will be required to migrate to this algorithm or greater when operating system vendors add the capability.

An example of a properly configured key statement in practice might be:

key ns1.kalamazoo.disa.mil_ns2.kalamazoo.disa.mil {
algorithm hmac-sha1;
include “/etc/dns/keys/ns1_ns2.key”;
};

If the key statement is not configured, this is a finding.

If the key statement is not configured to implement least HMAC-SHA1, this is a finding.

Note: rndc does not yet support the use of SHA-1; therefore, HMAC-MD5 is acceptable until such time that SHA support is available.

Fix Text (F-4378r1_fix)
The DNS software administrator should include the phrase algorithm HMAC-SHA1 , HMAC-MD5 or greater in each key statement depending upon which is currently available.