UCF STIG Viewer Logo

The DNSSEC private key file is not owned by the DNS administrator or the permissions are not set to a minimum of 600.


Overview

Finding ID Version Rule ID IA Controls Severity
V-14766 DNS4700 SV-15523r2_rule ECSC-1 High
Description
The private keys in the KSK and ZSK key pairs should be protected from unauthorized access. If possible, the private keys should be stored offline (with respect to the DNSSEC-aware name server) in a physically secure, non-network-accessible machine along with the zone file master copy. The signatures generated by using the private keys should be transferred to the primary authoritative name servers through a load process, using a dynamically established network connection (rather than a permanent network link).
STIG Date
BIND DNS STIG 2015-10-01

Details

Check Text ( C-43786r1_chk )
This rule is only applicable to DNS servers using DNSSEC.
If DNSSEC is not enabled, then this is N/A.

BIND on UNIX
•Instruction: Ask the DNS administrator for the directory location containing the private key files. Perform the following to check the permissions:
# ls –la ‘key file’

If the owner of the file is not the DNS administrator or the permissions are weaker than 600, then this is a finding.

BIND on Windows
•Instruction: Ask the DNS administrator for the directory location containing the private key files. Right click on the file and select Properties. Under the file properties, select the Security tab. If the Administrator group does not have full control or the DNS user is not restricted to read permission, then this is a finding.
Fix Text (F-14242r1_fix)
For UNIX systems:
# chown dnsadmin ‘keyfile’
# chmod 600 ‘keyfile’

For Windows systems:
Ask the DNS administrator for the directory location containing the private key files. Right click on the file and select Properties. Under the file properties, select the Security tab. Ensure the Administrator group has full control and the DNS user has read permission.