UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The DNSSEC algorithm for digital signatures must be RSASHA1, RSASHA256, or RSASHA512.


Overview

Finding ID Version Rule ID IA Controls Severity
V-14760 DNS4650 SV-15517r3_rule ECSC-1 Low
Description
MD5 is not collision resistant; therefore, RSAMD5 is not permitted for use in DNSSEC. RSASHA1 is the minimum algorithm for zone signatures. SHA2-based algorithms RSASHA256 and RSASHA512 offer greater security and are preferred over RSASHA1.
STIG Date
BIND DNS 2013-10-09

Details

Check Text ( C-47003r1_chk )
This rule is only applicable to DNS servers using DNSSEC.
If DNSSEC is not enabled, then this is N/A.

Instruction: Examine the DNSKEY record in the zone file. The seventh field will contain a number representing the algorithm used to generate the key.

Here is an example:

example.com. 86400 IN DNSKEY 256 3 5 aghaghnl;knatnjkga;agn;g’a

If this number is not a five, eight, or ten, then this is a finding.
Fix Text (F-14237r1_fix)
Generate a new key pair and update the DNSKEY record with the following:
# dnssec-keygen –n ZONE –a RSASHA1 –b 2048 example.com