Check: DNS0445
BIND DNS STIG:
DNS0445
(in version v4 r1.2)
Title
A cryptographic key used to secure DNS transactions has been utilized on a name server for more than one year. (Cat II impact)
Discussion
Keys are more likely to be compromised if they remain in use for over a year.
Check Content
BIND Instruction: With the SA’s assistance, the reviewer should locate the file directory that contains the TSIG keys (i.e., /etc/dns/keys/) and then list the files in that directory (e.g., by using the UNIX ls –l command). The key statements in named.conf will provide the location of the key files. If any of them have a last modified time stamp that is more than one year old, then this is a finding.
Fix Text
The IAO should execute the organizations procedure for TSIG key supersession.
Additional Identifiers
Rule ID: SV-4480r2_rule
Vulnerability ID: V-4480
Group Title:
Expert Comments
Expert comments are only available to logged-in users.
CCIs
CCIs tied to check.
| Number | Definition |
|---|---|
| No CCIs are assigned to this check |
Controls
Controls tied to check. These are derived from the CCIs shown above.
| Number | Title |
|---|---|
| No controls are assigned to this check |