Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-14760 | DNS4650 | SV-15517r3_rule | ECSC-1 | Low |
Description |
---|
MD5 is not collision resistant; therefore, RSAMD5 is not permitted for use in DNSSEC. RSASHA1 is the minimum algorithm for zone signatures. SHA2-based algorithms RSASHA256 and RSASHA512 offer greater security and are preferred over RSASHA1. |
STIG | Date |
---|---|
BIND DNS STIG | 2015-10-01 |
Check Text ( C-47003r1_chk ) |
---|
This rule is only applicable to DNS servers using DNSSEC. If DNSSEC is not enabled, then this is N/A. Instruction: Examine the DNSKEY record in the zone file. The seventh field will contain a number representing the algorithm used to generate the key. Here is an example: example.com. 86400 IN DNSKEY 256 3 5 aghaghnl;knatnjkga;agn;g’a If this number is not a five, eight, or ten, then this is a finding. |
Fix Text (F-14237r1_fix) |
---|
Generate a new key pair and update the DNSKEY record with the following: # dnssec-keygen –n ZONE –a RSASHA1 –b 2048 example.com |