Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-14766 | DNS4700 | SV-15523r2_rule | ECSC-1 | High |
Description |
---|
The private keys in the KSK and ZSK key pairs should be protected from unauthorized access. If possible, the private keys should be stored offline (with respect to the DNSSEC-aware name server) in a physically secure, non-network-accessible machine along with the zone file master copy. The signatures generated by using the private keys should be transferred to the primary authoritative name servers through a load process, using a dynamically established network connection (rather than a permanent network link). |
STIG | Date |
---|---|
BIND DNS STIG | 2015-10-01 |
Check Text ( C-43786r1_chk ) |
---|
This rule is only applicable to DNS servers using DNSSEC. If DNSSEC is not enabled, then this is N/A. BIND on UNIX •Instruction: Ask the DNS administrator for the directory location containing the private key files. Perform the following to check the permissions: # ls –la ‘key file’ If the owner of the file is not the DNS administrator or the permissions are weaker than 600, then this is a finding. BIND on Windows •Instruction: Ask the DNS administrator for the directory location containing the private key files. Right click on the file and select Properties. Under the file properties, select the Security tab. If the Administrator group does not have full control or the DNS user is not restricted to read permission, then this is a finding. |
Fix Text (F-14242r1_fix) |
---|
For UNIX systems: # chown dnsadmin ‘keyfile’ # chmod 600 ‘keyfile’ For Windows systems: Ask the DNS administrator for the directory location containing the private key files. Right click on the file and select Properties. Under the file properties, select the Security tab. Ensure the Administrator group has full control and the DNS user has read permission. |