The private key corresponding to the ZSK, stored on name servers accepting dynamic updates, must have appropriate directory/file-level access control list-based or cryptography-based protections.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-APP-000516-DNS-000111	SRG-APP-000516-DNS-000111	SRG-APP-000516-DNS-000111_rule		Medium

Description
The private keys in the KSK and ZSK key pairs must be protected from unauthorized access. If possible, the private keys should be stored off-line (with respect to the Internet-facing, DNSSEC-aware name server) in a physically secure, non-network-accessible machine along with the zone file master copy. This strategy is not feasible in situations in which the DNSSEC-aware name server has to support dynamic updates. To support dynamic update transactions, the DNSSEC-aware name server (which usually is a primary authoritative name server) has to have both the zone file master copy and the private key corresponding to the zone-signing key (ZSK-private) on-line to immediately update the signatures for the updated RRsets. The private key corresponding to the key-signing key (KSK-private) can still be kept off-line.

Description

The private keys in the KSK and ZSK key pairs must be protected from unauthorized access. If possible, the private keys should be stored off-line (with respect to the Internet-facing, DNSSEC-aware name server) in a physically secure, non-network-accessible machine along with the zone file master copy. This strategy is not feasible in situations in which the DNSSEC-aware name server has to support dynamic updates. To support dynamic update transactions, the DNSSEC-aware name server (which usually is a primary authoritative name server) has to have both the zone file master copy and the private key corresponding to the zone-signing key (ZSK-private) on-line to immediately update the signatures for the updated RRsets. The private key corresponding to the key-signing key (KSK-private) can still be kept off-line.

STIG	Date
Domain Name System (DNS) Security Requirements Guide	2014-07-11

Details

Check Text ( C-SRG-APP-000516-DNS-000111_chk )
Review the DNS name server and documentation to determine whether it accepts dynamic updates. If dynamic updates are accepted, ensure the private key of the KSK is protected with directory/file-level access control list-based or cryptography-based protections. If the private key corresponding to the KSK is not protected with directory/file-level access control list-based or cryptography-based protections, this is a finding.

Check Text ( C-SRG-APP-000516-DNS-000111_chk )

Review the DNS name server and documentation to determine whether it accepts dynamic updates. If dynamic updates are accepted, ensure the private key of the KSK is protected with directory/file-level access control list-based or cryptography-based protections.

If the private key corresponding to the KSK is not protected with directory/file-level access control list-based or cryptography-based protections, this is a finding.

Fix Text (F-SRG-APP-000516-DNS-000111_fix)
Apply permissions to the key file to provide read/modify permissions only to the account under which the name server software is run.