Title

The DNS administrator, when implementing DNSSEC, will create and maintain separate key-pairs for key signing and zone signing. (Cat III impact)

Discussion

DNSSEC specifies generation and verification of digital signatures using asymmetric keys. This requires generation of a public key-private key pair. Although the DNSSEC specification does not call for different keys (just one key pair), experience from pilot implementations suggests that for easier routine security administration operations such as key rollover (changing of keys) and zone re-signing, at least two different types of keys are needed.

Check Content

This rule is only applicable to DNS servers using DNSSEC. If DNSSEC is not enabled, then this is N/A. Instruction: : Examine the DNSKEY records in the zone file. At least two should exist and display different keys in the eighth field. If at least two different keys are not displayed, this is a finding. example.com. 86400 IN DNSKEY 256 3 1 aghaghnl;knatnjkga;agn;g’a example.com. 86400 IN DNSKEY 256 3 1 qrupotqtuipqtiqptouqptuqvi1

Fix Text

Generate a new key pair and update the DNSKEY record with the following: # dnssec-keygen –n ZONE –a RSASHA1 –b 2048 example.com

Additional Identifiers

Rule ID: SV-15516r2_rule

Vulnerability ID: V-14759

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.