UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The DNS implementation must enforce authorized access to the corresponding private key for PKI-based authentication.


Overview

Finding ID Version Rule ID IA Controls Severity
V-34116 SRG-NET-000165-DNS-000104 SV-44569r1_rule Medium
Description
The cornerstone of the PKI is the private key used to encrypt or digitally sign information. In DNS, the private part of the key pair is used to sign the zone. Validating resolvers use the public part of the key pair to validate the digital signature created when the zone is signed. The private key is used to digitally sign the records and the resulting digital signature is stored in a RRSIG record. If the private key is compromised, integrity and authenticity of the data can no longer be guaranteed. Private keys must be restricted to authorized personnel only. If a compromise occurs, the DNS infrastructure is at risk of invalidated and bogus data proliferation. Holders of private/signing DNSSEC keys must protect the computers, storage devices, or whatever they use to keep the private keys.
STIG Date
Domain Name System (DNS) Security Requirements Guide 2012-10-24

Details

Check Text ( C-42076r1_chk )
Review the DNS system and procedures to determine if organization defined private key access controls are in place to protect the private key. If a rigorous technical key management policy is not in place to protect the private keys, this is a finding.
Fix Text (F-38026r1_fix)
Define procedures and configure the DNS system to enforce the organization defined access control for the protection of private keys for DNSSEC based authentication.