UCF STIG Viewer Logo

The DNSSEC algorithm for digital signatures must be RSASHA1, RSASHA256, or RSASHA512.


Overview

Finding ID Version Rule ID IA Controls Severity
V-14760 DNS4650 SV-15517r3_rule ECSC-1 Low
Description
MD5 is not collision resistant; therefore, RSAMD5 is not permitted for use in DNSSEC. RSASHA1 is the minimum algorithm for zone signatures. SHA2-based algorithms RSASHA256 and RSASHA512 offer greater security and are preferred over RSASHA1.
STIG Date
BIND DNS STIG 2015-10-01

Details

Check Text ( C-47003r1_chk )
This rule is only applicable to DNS servers using DNSSEC.
If DNSSEC is not enabled, then this is N/A.

Instruction: Examine the DNSKEY record in the zone file. The seventh field will contain a number representing the algorithm used to generate the key.

Here is an example:

example.com. 86400 IN DNSKEY 256 3 5 aghaghnl;knatnjkga;agn;g’a

If this number is not a five, eight, or ten, then this is a finding.
Fix Text (F-14237r1_fix)
Generate a new key pair and update the DNSKEY record with the following:
# dnssec-keygen –n ZONE –a RSASHA1 –b 2048 example.com