A TSIG key is not in its own dedicated file.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-4494	DNS0710	SV-4494r2_rule	ECCD-1 ECCD-2	Medium

Description
Ideally, nobody even DNS and Systems Administrators should view the key. If it is included in named.conf, they will view it on a regular basis, which means computer forensics is less likely to determine who may have obtained the key if it is compromised. In addition, if the named.conf needs to be copied from the system for whatever reason (e.g., sent to an expert to troubleshoot a problem, appended to a change management work order, etc.), then others will see the key and could copy it. On the other hand, if the key is in a dedicated file, then the operating system can be configured to log any instance when the key is accessed, which would make it easy for security personnel to determine when users other than the DNS name server software performed this function.

Description

Ideally, nobody even DNS and Systems Administrators should view the key. If it is included in named.conf, they will view it on a regular basis, which means computer forensics is less likely to determine who may have obtained the key if it is compromised. In addition, if the named.conf needs to be copied from the system for whatever reason (e.g., sent to an expert to troubleshoot a problem, appended to a change management work order, etc.), then others will see the key and could copy it. On the other hand, if the key is in a dedicated file, then the operating system can be configured to log any instance when the key is accessed, which would make it easy for security personnel to determine when users other than the DNS name server software performed this function.

STIG	Date
BIND DNS STIG	2015-10-01

Details

Check Text ( C-3375r1_chk )
The key statement is located in the named.conf. If the key statement includes a secret phrase followed by a character representation of the key, then this is a finding. The correct configuration calls for an include statement embedded in the key statement. The include statement references a separate file that contains the key so it does not need to appear in the named.conf file. An example of a properly configured key statement in practice might be: key ns1.kalamazoo.disa.mil_ns2.kalamazoo.disa.mil { algorithm hmac-md5; include “/etc/dns/keys/ns1_ns2.key”; }; If each key is not located in a dedicated file for each individual key, then this is a finding.

Check Text ( C-3375r1_chk )

The key statement is located in the named.conf. If the key statement includes a secret phrase followed by a character representation of the key, then this is a finding. The correct configuration calls for an include statement embedded in the key statement. The include statement references a separate file that contains the key so it does not need to appear in the named.conf file.

An example of a properly configured key statement in practice might be:

key ns1.kalamazoo.disa.mil_ns2.kalamazoo.disa.mil {
algorithm hmac-md5;
include “/etc/dns/keys/ns1_ns2.key”;
};

If each key is not located in a dedicated file for each individual key, then this is a finding.

Fix Text (F-4379r1_fix)
The DNS software administrator should cut and paste the secret phrase from each key statement and place it in a dedicated file. Then, an include phrase should be added to the key statement. Additional information on TSIG key generation and storage may be obtained from the DNS STIG. Create a new designated file for that key Using a text editor, create a file with the following content: secret “generated_key”; In our example, the contents would be: secret “2njlQNnzn6HTwKLcjStUXg==”; The syntax of the statement is critical. Ensure that: - The word “secret” appears at the beginning of the line followed by a space - The key is included in quotes with no extra spaces before or after the key - A semi-colon (;) follows the quotation mark after the key - There are no extra characters, lines, or carriage returns before or after the statement Importantly, any key longer than approximately 320 bits will contain a space within the key field of the original .key file. This space can be left within the string, as long as it is enclosed within double quotes (") in the new file created to house the key.

Fix Text (F-4379r1_fix)

The DNS software administrator should cut and paste the secret phrase from each key statement and place it in a dedicated file. Then, an include phrase should be added to the key statement.

Additional information on TSIG key generation and storage may be obtained from the DNS STIG.

Create a new designated file for that key

Using a text editor, create a file with the following content:

secret “generated_key”;

In our example, the contents would be:

secret “2njlQNnzn6HTwKLcjStUXg==”;

The syntax of the statement is critical. Ensure that:

- The word “secret” appears at the beginning of the line followed by a space
- The key is included in quotes with no extra spaces before or after the key
- A semi-colon (;) follows the quotation mark after the key
- There are no extra characters, lines, or carriage returns before or after the statement

Importantly, any key longer than approximately 320 bits will contain a space within the key field of the original .key file. This space can be left within the string, as long as it is enclosed within double quotes (") in the new file created to house the key.