UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The DNS implementation must produce, control, and distribute asymmetric cryptographic keys using prepositioned keying material.


Overview

Finding ID Version Rule ID IA Controls Severity
V-34167 SRG-NET-000217-DNS-000131 SV-44620r1_rule Medium
Description
The escalating use of cryptography has brought forth a huge challenge for organizations to protect and manage the hundreds and even thousands of cryptographic keys employed during daily cryptographic transactions. The most secure algorithm is rendered useless if the keys cannot be secured. Unprotected keys are vulnerable to duplication or modification. Duplication enables an attacker to copy a key to be used for access to the service and steal information. An attacker will modify or corrupt a key to cause a Denial of Service. DNSSEC allows public key distribution through the DNS, but this will only work if it is possible to build a chain of authority from a 'trust-anchor' through delegation from parent to child in each zone. The secure administration and distribution of cryptographic keys for TSIG and DNSSEC is a necessary and critical aspect of risk mitigation. Key management is the process of generating and securely distributing keys used in the encryption process. It is the practice of implementing a security key management policy to protect cryptographic operations from compromise and abuse. The policy must include key generation, distribution, storage, usage, lifetime duration, and destruction. Distribution requires the prepositioning of public keys for installation and use on remote systems. In addition to being required for the effective operation of a cryptographic mechanism, effective cryptographic key management provides protections to maintain the availability of the information in the event of the loss of cryptographic keys by users. The public keys of a given DNSSEC enabled zone must be signed by the delegating DNSSEC authority.
STIG Date
Domain Name System (DNS) Security Requirements Guide 2012-10-24

Details

Check Text ( C-42128r1_chk )
Review the DNS implementation to verify the tools required to produce, control, and distribute asymmetric cryptographic keys are available.

If the DNS deployment does not provide for the production, control, and distribution of asymmetric cryptographic keys using approved prepositioned keying material, this is a finding.
Fix Text (F-38077r1_fix)
Ensure the DNS implementation can produce, control, and distribute asymmetric cryptographic keys for TSIG and DNSSEC using prepositioned keying material.