UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The shared secret in the APP session(s) was not a randomly generated 32 character text string.


Overview

Finding ID Version Rule ID IA Controls Severity
V-4506 DNS0900 SV-4506r1_rule DCNR-1 Low
Description
The core requirements related to zone transfers are that an authoritative name server transfers zone information only to designated zone partners and that name servers only accept zone data when it is cryptographically authenticated. CSS APP provides means to designate which devices it can share zone data and to authenticate those transactions. CSS devices can define their peers using IP addresses and authenticate them using Challenge Handshake Authentication Protocol (CHAP) with a shared secret. This setup also can be supplemented with MD5 hashing encryption. While this configuration does not provide the equivalent strength of cryptographic authentication as BINDs TSIG HMAC-MD5, it does provide a satisfactory level of information assurance when CSS DNS operates within a trusted network environment.
STIG Date
CISCO CSS DNS 2013-04-12

Details

Check Text ( C-3387r1_chk )
Interview the SA and determine if the key was randomly generated 32-character text string.
Fix Text (F-4391r1_fix)
The CSS DNS administrator should use the following command while in global command mode; app session ip_address authChallenge shared_secret encryptMd5hash. In this command, ip_address refers to the IP address of the designated peer and the shared_secret is a text string up to 32 characters in length.