BIND 9.x STIG

BIND 9.x Security Technical Implementation Guide

ID Vuln ID Title Cat Status
BIND-9X-001111 V-207564 The TSIG keys used with the BIND 9.x implementation must be group owned by a privileged account. Cat II
BIND-9X-001113 V-207566 The BIND 9.X implementation must not utilize a TSIG or DNSSEC key for more than one year. Cat II
BIND-9X-001070 V-207559 A BIND 9.x master name server must limit the number of concurrent zone transfers between authorized secondary name servers. Cat II
BIND-9X-001404 V-207587 On the BIND 9.x server the IP address for hidden master authoritative name servers must not appear in the name servers set in the zone database. Cat II
BIND-9X-001100 V-207561 The BIND 9.x server implementation must uniquely identify and authenticate the other DNS server before responding to a server-to-server transaction, zone transfer and/or dynamic update request using cryptographically based bidirectional authentication to protect the integrity of the information in transit. Cat I
BIND-9X-001060 V-207558 A BIND 9.x caching name server must implement DNSSEC validation to check all DNS queries for invalid input. Cat II
BIND-9X-001005 V-207537 The host running a BIND 9.x implementation must use a dedicated management interface in order to separate management traffic from DNS specific traffic. Cat II
BIND-9X-001042 V-207548 The BIND 9.x server implementation must maintain at least 3 file versions of the local log file. Cat III
BIND-9X-001057 V-207555 The master servers in a BIND 9.x implementation must notify authorized secondary name servers when zone files are updated. Cat III
BIND-9X-001080 V-207560 A BIND 9.x implementation configured as a caching name server must restrict recursive queries to only the IP addresses and IP address ranges of known supported clients. Cat II
BIND-9X-001130 V-207568 The DNSSEC keys used with the BIND 9.x implementation must be owned by a privileged account. Cat II
BIND-9X-001055 V-207554 A BIND 9.x server implementation must prohibit recursion on authoritative name servers. Cat II
BIND-9X-001051 V-207550 The BIND 9.x secondary name server must limit the total number of zones the name server can request at any one time. Cat II
BIND-9X-001403 V-207586 A BIND 9.x server implementation must implement internal/external role separation. Cat I
BIND-9X-001612 V-207595 On a BIND 9.x server all authoritative name servers for a zone must be located on different network segments. Cat II

Print

Display this benchmark in a printer-friendly format for off-line reference. This display does not include any commands.
Print

Version Changes

If there are multiple versions of this benchmark, Xylok can display the differences between any changes in the checks.
Changes