Title

A BIND 9.x server must implement NIST FIPS-validated cryptography for provisioning digital signatures and generating cryptographic hashes. (Cat II impact)

Discussion

Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The application must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.

Check Content

Verify that the DNSSEC and TSIG keys used by the BIND 9.x implementation are FIPS 180-3 compliant. If the server is in a classified network, the DNSSEC portion of the requirement is Not Applicable. DNSSEC keys: Inspect the "named.conf" file and identify all of the DNSSEC signed zone files: zone "example.com" { file "signed_zone_file"; }; For each signed zone file identified, inspect the file for the "DNSKEY" records: 86400 DNSKEY 257 3 8 ( <KEY HASH> ) ; KSK; 86400 DNSKEY 256 3 8 ( <KEY HASH> ) ; ZSK; The fifth field in the above example identifies what algorithm was used to create the DNSKEY. If the fifth field the KSK DNSKEY is less than "8" (SHA256), this is a finding. If the algorithm used to create the ZSK is less than "8" (SHA256), this is a finding. TSIG keys: Inspect the "named.conf" file and identify all of the TSIG key statements: key tsig_example. { algorithm hmac-SHA256; include "tsig-example.key"; }; If each key statement does not use "hmac-SHA256" or a stronger algorithm, this is a finding.

Fix Text

Create new DNSSEC and TSIG keys using a FIPS 180-3 approved cryptographic algorithm that meets or exceeds the strength of SHA-256.

Additional Identifiers

Rule ID: SV-272436r1082281_rule

Vulnerability ID: V-272436

Group Title: SRG-APP-000514-DNS-000075

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.