The shared secret in the APP session(s) was not a randomly generated 32 character text string.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-4506 | DNS0900 | SV-4506r1_rule | DCNR-1 | Low |
| Description |
|---|
| The core requirements related to zone transfers are that an authoritative name server transfers zone information only to designated zone partners and that name servers only accept zone data when it is cryptographically authenticated. CSS APP provides means to designate which devices it can share zone data and to authenticate those transactions. CSS devices can define their peers using IP addresses and authenticate them using Challenge Handshake Authentication Protocol (CHAP) with a shared secret. This setup also can be supplemented with MD5 hashing encryption. While this configuration does not provide the equivalent strength of cryptographic authentication as BINDs TSIG HMAC-MD5, it does provide a satisfactory level of information assurance when CSS DNS operates within a trusted network environment. |
| STIG | Date |
|---|---|
| CISCO CSS DNS | 2015-12-29 |
Details
| Check Text ( C-3387r1_chk ) |
|---|
| Interview the SA and determine if the key was randomly generated 32-character text string. |
| Fix Text (F-4391r1_fix) |
|---|
| The CSS DNS administrator should use the following command while in global command mode; app session ip_address authChallenge shared_secret encryptMd5hash. In this command, ip_address refers to the IP address of the designated peer and the shared_secret is a text string up to 32 characters in length. |