The DNS administrator, when implementing DNSSEC, will create and maintain separate key-pairs for key signing and zone signing.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-14759 | DNS4640 | SV-15516r2_rule | ECSC-1 | Low |
| Description |
|---|
| DNSSEC specifies generation and verification of digital signatures using asymmetric keys. This requires generation of a public key-private key pair. Although the DNSSEC specification does not call for different keys (just one key pair), experience from pilot implementations suggests that for easier routine security administration operations such as key rollover (changing of keys) and zone re-signing, at least two different types of keys are needed. |
| STIG | Date |
|---|---|
| BIND DNS STIG | 2015-10-01 |
Details
| Check Text ( C-43441r2_chk ) |
|---|
| This rule is only applicable to DNS servers using DNSSEC. If DNSSEC is not enabled, then this is N/A. Instruction: : Examine the DNSKEY records in the zone file. At least two should exist and display different keys in the eighth field. If at least two different keys are not displayed, this is a finding. example.com. 86400 IN DNSKEY 256 3 1 aghaghnl;knatnjkga;agn;g’a example.com. 86400 IN DNSKEY 256 3 1 qrupotqtuipqtiqptouqptuqvi1 |
| Fix Text (F-14237r1_fix) |
|---|
| Generate a new key pair and update the DNSKEY record with the following: # dnssec-keygen –n ZONE –a RSASHA1 –b 2048 example.com |