The DNS implementation must enforce authorized access to the corresponding private key for PKI-based authentication.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-34116 | SRG-NET-000165-DNS-000104 | SV-44569r1_rule | Medium |
| Description |
|---|
| The cornerstone of the PKI is the private key used to encrypt or digitally sign information. In DNS, the private part of the key pair is used to sign the zone. Validating resolvers use the public part of the key pair to validate the digital signature created when the zone is signed. The private key is used to digitally sign the records and the resulting digital signature is stored in a RRSIG record. If the private key is compromised, integrity and authenticity of the data can no longer be guaranteed. Private keys must be restricted to authorized personnel only. If a compromise occurs, the DNS infrastructure is at risk of invalidated and bogus data proliferation. Holders of private/signing DNSSEC keys must protect the computers, storage devices, or whatever they use to keep the private keys. |
| STIG | Date |
|---|---|
| Domain Name System (DNS) Security Requirements Guide | 2012-10-24 |
Details
| Check Text ( C-42076r1_chk ) |
|---|
| Review the DNS system and procedures to determine if organization defined private key access controls are in place to protect the private key. If a rigorous technical key management policy is not in place to protect the private keys, this is a finding. |
| Fix Text (F-38026r1_fix) |
|---|
| Define procedures and configure the DNS system to enforce the organization defined access control for the protection of private keys for DNSSEC based authentication. |