Check: DNS0710
BIND DNS STIG:
DNS0710
(in version v4 r1.2)
Title
A TSIG key is not in its own dedicated file. (Cat II impact)
Discussion
Ideally, nobody even DNS and Systems Administrators should view the key. If it is included in named.conf, they will view it on a regular basis, which means computer forensics is less likely to determine who may have obtained the key if it is compromised. In addition, if the named.conf needs to be copied from the system for whatever reason (e.g., sent to an expert to troubleshoot a problem, appended to a change management work order, etc.), then others will see the key and could copy it. On the other hand, if the key is in a dedicated file, then the operating system can be configured to log any instance when the key is accessed, which would make it easy for security personnel to determine when users other than the DNS name server software performed this function.
Check Content
The key statement is located in the named.conf. If the key statement includes a secret phrase followed by a character representation of the key, then this is a finding. The correct configuration calls for an include statement embedded in the key statement. The include statement references a separate file that contains the key so it does not need to appear in the named.conf file. An example of a properly configured key statement in practice might be: key ns1.kalamazoo.disa.mil_ns2.kalamazoo.disa.mil { algorithm hmac-md5; include “/etc/dns/keys/ns1_ns2.key”; }; If each key is not located in a dedicated file for each individual key, then this is a finding.
Fix Text
The DNS software administrator should cut and paste the secret phrase from each key statement and place it in a dedicated file. Then, an include phrase should be added to the key statement. Additional information on TSIG key generation and storage may be obtained from the DNS STIG. Create a new designated file for that key Using a text editor, create a file with the following content: secret “generated_key”; In our example, the contents would be: secret “2njlQNnzn6HTwKLcjStUXg==”; The syntax of the statement is critical. Ensure that: - The word “secret” appears at the beginning of the line followed by a space - The key is included in quotes with no extra spaces before or after the key - A semi-colon (;) follows the quotation mark after the key - There are no extra characters, lines, or carriage returns before or after the statement Importantly, any key longer than approximately 320 bits will contain a space within the key field of the original .key file. This space can be left within the string, as long as it is enclosed within double quotes (") in the new file created to house the key.
Additional Identifiers
Rule ID: SV-4494r2_rule
Vulnerability ID: V-4494
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |