A cryptographic key used to secure DNS transactions has been utilized on a name server for more than one year.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-4480	DNS0445	SV-4480r1_rule	DCNR-1	Medium

Description
Keys are more likely to be compromised if they remain in use for over a year.

STIG	Date
BIND DNS STIG	2014-04-01

Details

Check Text ( C-3526r1_chk )
BIND Instruction: With the SA’s assistance, the reviewer should locate the file directory that contains the TSIG keys (i.e., /etc/dns/keys/) and then list the files in that directory (e.g., by using the UNIX ls –l command). The key statements in named.conf will provide the location of the key files. If any of them have a last modified time stamp that is more than one year old, then this is a finding.

Check Text ( C-3526r1_chk )

BIND

Instruction: With the SA’s assistance, the reviewer should locate the file directory that contains the TSIG keys (i.e., /etc/dns/keys/) and then list the files in that directory (e.g., by using the UNIX ls –l command). The key statements in named.conf will provide the location of the key files. If any of them have a last modified time stamp that is more than one year old, then this is a finding.

Fix Text (F-4365r1_fix)
The IAO should execute the organizations procedure for TSIG key supersession.