The DNSSEC zone signing key minimum roll over period is not at least 60 days.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-14765	DNS4690	SV-15522r2_rule	ECSC-1	Low

Description
In the case of ZSK, the risk of key guessing is higher because of larger key exposure. The larger key exposure is a result of the fact that the number of signature sets generated is very large (because the ZSK signs all RRsets in a zone and other RRsets change much more frequently than DNSKEY RRsets, so the number of fresh signatures generated is high). This factor, combined with the relatively smaller size of the key, implies that ZSKs must be rolled over more frequently than KSKs (usually a month or two).

Description

In the case of ZSK, the risk of key guessing is higher because of larger key exposure. The larger key exposure is a result of the fact that the number of signature sets generated is very large (because the ZSK signs all RRsets in a zone and other RRsets change much more frequently than DNSKEY RRsets, so the number of fresh signatures generated is high). This factor, combined with the relatively smaller size of the key, implies that ZSKs must be rolled over more frequently than KSKs (usually a month or two).

STIG	Date
BIND DNS STIG	2015-10-01

Details

Check Text ( C-43785r1_chk )
This rule is only applicable to DNS servers using DNSSEC. If DNSSEC is not enabled, then this is N/A. BIND on UNIX Instruction: Ask the DNS administrator for the location of the private key file for the ZSK generated from the output of the dnssec-keygen command. Perform the following: # ls –la ‘private_key_file’ # date If the date returned compared to the date on the file is greater than 60 days, then this is a finding. BIND on Windows Instruction: Ask the DNS administrator for the location of the private key file for the ZSK generated from the output of the dnssec-keygen command. Perform the following: Right click on the file and select Properties. Select the General tab and view Created: row which displays the date of creation. Check the date of the machine in the lower right hand corner of the display. Compare the dates, if the difference is greater than 60 days, then this is a finding.

Check Text ( C-43785r1_chk )

This rule is only applicable to DNS servers using DNSSEC.
If DNSSEC is not enabled, then this is N/A.

BIND on UNIX
Instruction: Ask the DNS administrator for the location of the private key file for the ZSK generated from the output of the dnssec-keygen command. Perform the following:

# ls –la ‘private_key_file’
# date

If the date returned compared to the date on the file is greater than 60 days, then this is a finding.

BIND on Windows
Instruction: Ask the DNS administrator for the location of the private key file for the ZSK generated from the output of the dnssec-keygen command.
Perform the following:

Right click on the file and select Properties.
Select the General tab and view Created: row which displays the date of creation.
Check the date of the machine in the lower right hand corner of the display.
Compare the dates, if the difference is greater than 60 days, then this is a finding.

Fix Text (F-14241r1_fix)
Generate new keys with the following command: # dnssec-keygen –n ZONE –a RSA –b 1024 example.com