Title

On a BIND 9.x server, all root name servers listed in the local root zone file hosted on a BIND 9.x authoritative name server must be valid for that zone. (Cat II impact)

Discussion

All caching name servers must be authoritative for the root zone because, without this starting point, they would have no knowledge of the DNS infrastructure and thus would be unable to respond to any queries. The security risk is that an adversary could change the root hints and direct the caching name server to a bogus root server. At that point, every query response from that name server is suspect, which would give the adversary substantial control over the network communication of the name servers' clients.

Check Content

If this is an authoritative name server, this is not applicable. Use command dig @<serverip> . ns and examine results. Answer results . 518400 IN NS e.root-servers.net. . 518400 IN NS a.root-servers.net. . 518400 IN NS g.root-servers.net. . 518400 IN NS i.root-servers.net. . 518400 IN NS h.root-servers.net. . 518400 IN NS d.root-servers.net. . 518400 IN NS c.root-servers.net. . 518400 IN NS k.root-servers.net. . 518400 IN NS f.root-servers.net. . 518400 IN NS m.root-servers.net. . 518400 IN NS b.root-servers.net. . 518400 IN NS j.root-servers.net. . 518400 IN NS l.root-servers.net. ;; ADDITIONAL SECTION: m.root-servers.net. 518400 IN A 202.12.27.33 l.root-servers.net. 518400 IN A 199.7.83.42 k.root-servers.net. 518400 IN A 193.0.14.129 j.root-servers.net. 518400 IN A 192.58.128.30 i.root-servers.net. 518400 IN A 192.36.148.17 h.root-servers.net. 518400 IN A 198.97.190.53 g.root-servers.net. 518400 IN A 192.112.36.4 f.root-servers.net. 518400 IN A 192.5.5.241 e.root-servers.net. 518400 IN A 192.203.230.10 d.root-servers.net. 518400 IN A 199.7.91.13 c.root-servers.net. 518400 IN A 192.33.4.12 b.root-servers.net. 518400 IN A 170.247.170.2 a.root-servers.net. 518400 IN A 198.41.0.4 m.root-servers.net. 518400 IN AAAA 2001:dc3::35 l.root-servers.net. 518400 IN AAAA 2001:500:9f::42 k.root-servers.net. 518400 IN AAAA 2001:7fd::1 j.root-servers.net. 518400 IN AAAA 2001:503:c27::2:30 i.root-servers.net. 518400 IN AAAA 2001:7fe::53 h.root-servers.net. 518400 IN AAAA 2001:500:1::53 g.root-servers.net. 518400 IN AAAA 2001:500:12::d0d f.root-servers.net. 518400 IN AAAA 2001:500:2f::f e.root-servers.net. 518400 IN AAAA 2001:500:a8::e d.root-servers.net. 518400 IN AAAA 2001:500:2d::d c.root-servers.net. 518400 IN AAAA 2001:500:2::c b.root-servers.net. 518400 IN AAAA 2801:1b8:10::b a.root-servers.net. 518400 IN AAAA 2001:503:ba3e::2:30 If names and addresses do not match the current IANA list, this is a finding. Perform command dig @<serverip> . dnskey +multi and examine results. answer results 77555 IN DNSKEY 257 3 8 ( AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTO iW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN 7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5 LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8 efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7 pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLY A4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws 9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ) ; KSK; alg = RSASHA256 ; key id = 20326 . 77555 IN DNSKEY 256 3 8 ( AwEAAbEbGCpGTDrcZTWqWWE72nphyshpRcILdzCVlBGU 9Ln1Fui9kkseUOP+g5GLUeVFKdTloeRTA9+EYiQdXgWX mXmuW/nGxZjAikluF/O9NzLVrr5iZnth2xu+F48nrJlA gWWiMNau54NI5sZ3iVQfhFsq2pZmf43RauRPniYMShOL O7EBWWXr5glDSgZGS9fSm6xHwwF+g8D4m8oanjvdCBNx XzSEKS31ibxjLifTfvwCg3y4XXcNW9U6Nu3JmoKUdxqp PPIkBvVQbIz4UO2FwaR13uXC03ALP1Yx2QNSS4SZlcIM tAftQR9wtCiuPWQnFv4jkzWqlhp1Lmf7bcoL9yk= ) ; ZSK; alg = RSASHA256 ; key id = 53148 . 77555 IN DNSKEY 257 3 8 ( AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC 6rXTsDc449/cidltpkyGwCJNnOAlFNKF2jBosZBU5eeH spaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vr hbu6irwCzVBApESjbUdpWWmEnhathWu1jo+siFUiRAAx m9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7 CPqpdVwuMoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+ u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBevYtxP vYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc= ) ; KSK; alg = RSASHA256 ; key id = 38696 If the dnssec keys and root anchors do not match the IANA list, this is a finding.

Fix Text

Edit the local root zone file. Ensure that the root servers listed match the IANA list. Ensure that the DNS keys and trust anchors listed match the IANA list. Restart the BIND 9.x process.

Additional Identifiers

Rule ID: SV-272396r1124054_rule

Vulnerability ID: V-272396

Group Title: SRG-APP-000516-DNS-000102

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.