Title

The BIND 9.x server implementation must use separate TSIG key-pairs when securing server-to-server transactions. (Cat II impact)

Discussion

Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. This applies to server-to-server (zone transfer) transactions only and is provided by TSIG/SIG(0), which enforces mutual server authentication using a key that is unique to each server pair (TSIG) or using PKI-based authentication (SIG[0]), thus uniquely identifying the other server.

Check Content

Verify that the BIND 9.x server is configured to use separate TSIG key-pairs when securing server-to-server transactions. Inspect the "named.conf" file for the presence of TSIG key statements: On the primary name server, this is an example of a configured key statement: key tsig_example. { algorithm hmac-SHA1; include "tsig-example.key"; }; zone "disa.mil" { type Primary; file "db.disa.mil"; allow-transfer { key tsig_example.; }; }; On the secondary name server, this is an example of a configured key statement: key tsig_example. { algorithm hmac-SHA1; include "tsig-example.key"; }; server <ip_address> { keys { tsig_example }; }; zone "disa.mil" { type Secondary; Primarys { <ip_address>; }; file "db.disa.mil"; }; Verify that each TSIG key-pair listed is only used by a single key statement: # cat <tsig_key_file> If any TSIG key-pair is being used by more than one key statement, this is a finding.

Fix Text

Create a separate TSIG key-pair for each key statement listed in the named.conf file. Configure the name server to use separate TSIG key-pairs for each key statement listed in the named.conf file. Restart the BIND 9.x process.

Additional Identifiers

Rule ID: SV-272421r1068102_rule

Vulnerability ID: V-272421

Group Title: SRG-APP-000158-DNS-000015

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.