An error occurred:

Check: BIND-9X-001610

BIND 9.x STIG: BIND-9X-001610 (in version v3 r0.1)

Title

The BIND 9.x implementation must not use a TSIG or DNSSEC key for more than one year. (Cat II impact)

Discussion

Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the application, including the parameters required to satisfy other security control requirements. Configuring the DNS server implementation to follow organizationwide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DOD that reflects the most restrictive security posture consistent with operational requirements.

Check Content

With the assistance of the DNS administrator, identify all of the cryptographic key files used by the BIND 9.x implementation. With the assistance of the DNS administrator, determine the location of the cryptographic key files used by the BIND 9.x implementation. # ls -al <Crypto_Key_Location> -rw-------. 1 named named 76 May 10 20:35 crypto-example.key If the server is in a classified network, the DNSSEC portion of the requirement is Not Applicable. For DNSSEC keys: Verify that the "Created" date is less than one year from the date of inspection: Note: The date format will be displayed in YYYYMMDDHHMMSS. # cat <DNSSEC_Key_File> | grep -i "created" Created: 20160704235959 If the "Created" date is more than one year old, this is a finding. For TSIG keys: Verify with the information system security officer (ISSO)/information system security manager (ISSM) that the TSIG keys are less than one year old. If a TSIG key is more than one year old, this is a finding.

Fix Text

Generate new DNSSEC and TSIG keys. For DNSSEC keys: Use the newly generated keys to resign all of the zone files on the name server. For TSIG keys: Update the named.conf file with the new keys. Restart the BIND 9.x process.

Additional Identifiers

Rule ID: SV-272414r1082268_rule

Vulnerability ID: V-272414

Group Title: SRG-APP-000516-DNS-000500

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000366

Implement the security configuration settings.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
CM-6

Configuration Settings