UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The DNSSEC zone signing key size is not at least 1024 bits.


Overview

Finding ID Version Rule ID IA Controls Severity
V-14764 DNS4680 SV-15521r2_rule ECSC-1 Low
Description
As far as the choice of key size for the ZSK is concerned, performance certainly will be a factor because the ZSK is used for signing all RRsets in the zone. In terms of impact, however, it is restricted to just a single zone because the ZSKs usage is limited to signing RRsets only for that zone but not for providing authenticated delegation for a child zone. Hence, a key size smaller than that for the KSK can be used for the ZSK.
STIG Date
BIND DNS 2013-10-09

Details

Check Text ( C-43445r2_chk )
This rule is only applicable to DNS servers using DNSSEC.
If DNSSEC is not enabled, then this is N/A.

BIND
Instruction: Examine the public key record type DNSKEY in the zone file. The actual key contained in the file utilizing the RSA algorithm and key size of 1024 bits will contain 180 characters. If the key does not appear to contain at 180 characters, then this is a finding.
Fix Text (F-14240r1_fix)
Generate a new key pair and update the DNSKEY record with the following:
# dnssec-keygen –n ZONE –a RSA –b 1024 example.com