Title

The DNSSEC algorithm for digital signatures must be RSASHA1, RSASHA256, or RSASHA512. (Cat III impact)

Discussion

MD5 is not collision resistant; therefore, RSAMD5 is not permitted for use in DNSSEC. RSASHA1 is the minimum algorithm for zone signatures. SHA2-based algorithms RSASHA256 and RSASHA512 offer greater security and are preferred over RSASHA1.

Check Content

This rule is only applicable to DNS servers using DNSSEC. If DNSSEC is not enabled, then this is N/A. Instruction: Examine the DNSKEY record in the zone file. The seventh field will contain a number representing the algorithm used to generate the key. Here is an example: example.com. 86400 IN DNSKEY 256 3 5 aghaghnl;knatnjkga;agn;g’a If this number is not a five, eight, or ten, then this is a finding.

Fix Text

Generate a new key pair and update the DNSKEY record with the following: # dnssec-keygen –n ZONE –a RSASHA1 –b 2048 example.com

Additional Identifiers

Rule ID: SV-15517r3_rule

Vulnerability ID: V-14760

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.