Title

The DNS software administrator has not utilized at least 160 bit HMAC-SHA1 keys if available. (Cat III impact)

Discussion

SHA-1 is the algorithm currently specified in the National Institute of Standards and Technology's (NISTs) Secure Hashing Standard (FIPS 180-1) and required throughout DoD. HMAC-MD5 will be replaced with HMAC-SHA1 or higher when available for DNS TSIG applications. In general, only NIST or National Security Agency (NSA) approved algorithms should be utilized in the DoD computing infrastructure. The US Government currently requires SHA-1 for hashing applications. It is considered an improvement over MD5, for which there are known instances of collisions.

Check Content

There is to be a properly configured key statement located in the named.conf file. BIND now supports HMAC-SHA1 and organizations are will be required to migrate to this algorithm or greater when operating system vendors add the capability. An example of a properly configured key statement in practice might be: key ns1.kalamazoo.disa.mil_ns2.kalamazoo.disa.mil { algorithm hmac-sha1; include “/etc/dns/keys/ns1_ns2.key”; }; If the key statement is not configured, this is a finding. If the key statement is not configured to implement least HMAC-SHA1, this is a finding. Note: rndc does not yet support the use of SHA-1; therefore, HMAC-MD5 is acceptable until such time that SHA support is available.

Fix Text

The DNS software administrator should include the phrase algorithm HMAC-SHA1 , HMAC-MD5 or greater in each key statement depending upon which is currently available.

Additional Identifiers

Rule ID: SV-4493r2_rule

Vulnerability ID: V-4493

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.