The DNS implementation must produce, control, and distribute symmetric cryptographic keys, such as TSIG, using NIST-approved key management technology and processes.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-34165	SRG-NET-000215-DNS-000129	SV-44618r1_rule		Medium

Description
The escalating use of cryptography has brought forth a huge challenge for organizations to protect and manage the hundreds and even thousands of cryptographic keys employed during daily cryptographic transactions. The most secure algorithm is rendered useless if the keys cannot be secured. Unprotected keys are vulnerable to duplication or modification. Duplication enables an attacker to copy a key to be used for access to the service and steal information. An attacker will modify or corrupt a key to cause a Denial of Service. The secure administration and distribution of cryptographic keys is a necessary and critical aspect of risk mitigation. Key management is the process of generating and securely distributing keys used in the encryption process. It is the practice of implementing a security key management policy to protect cryptographic operations from compromise and abuse. The policy must include key generation, distribution, storage, usage, lifetime duration, and destruction. Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. In addition to being required for the effective operation of a cryptographic mechanism, effective cryptographic key management provides protection to maintain the availability of the information in the event of the loss of cryptographic keys by users.

Description

The escalating use of cryptography has brought forth a huge challenge for organizations to protect and manage the hundreds and even thousands of cryptographic keys employed during daily cryptographic transactions. The most secure algorithm is rendered useless if the keys cannot be secured. Unprotected keys are vulnerable to duplication or modification. Duplication enables an attacker to copy a key to be used for access to the service and steal information. An attacker will modify or corrupt a key to cause a Denial of Service. The secure administration and distribution of cryptographic keys is a necessary and critical aspect of risk mitigation. Key management is the process of generating and securely distributing keys used in the encryption process. It is the practice of implementing a security key management policy to protect cryptographic operations from compromise and abuse. The policy must include key generation, distribution, storage, usage, lifetime duration, and destruction. Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. In addition to being required for the effective operation of a cryptographic mechanism, effective cryptographic key management provides protection to maintain the availability of the information in the event of the loss of cryptographic keys by users.

STIG	Date
Domain Name System (DNS) Security Requirements Guide	2012-10-24

Details

Check Text ( C-42125r1_chk )
Review the DNS vendor documentation and system configuration to determine if the implementation produces, controls, and distributes symmetric cryptographic keys using NSA-approved key management technology and processes. If symmetric cryptographic keys are not properly produced, controlled, and distributed, this is a finding.

Fix Text (F-38075r1_fix)
Ensure the DNS implementation produces, controls, and distributes symmetric cryptographic keys, such as TSIG, using NIST-approved key management technology and processes.