Title

The DNSSEC private key file is not owned by the DNS administrator or the permissions are not set to a minimum of 600. (Cat I impact)

Discussion

The private keys in the KSK and ZSK key pairs should be protected from unauthorized access. If possible, the private keys should be stored offline (with respect to the DNSSEC-aware name server) in a physically secure, non-network-accessible machine along with the zone file master copy. The signatures generated by using the private keys should be transferred to the primary authoritative name servers through a load process, using a dynamically established network connection (rather than a permanent network link).

Check Content

This rule is only applicable to DNS servers using DNSSEC. If DNSSEC is not enabled, then this is N/A. BIND on UNIX •Instruction: Ask the DNS administrator for the directory location containing the private key files. Perform the following to check the permissions: # ls –la ‘key file’ If the owner of the file is not the DNS administrator or the permissions are weaker than 600, then this is a finding. BIND on Windows •Instruction: Ask the DNS administrator for the directory location containing the private key files. Right click on the file and select Properties. Under the file properties, select the Security tab. If the Administrator group does not have full control or the DNS user is not restricted to read permission, then this is a finding.

Fix Text

For UNIX systems: # chown dnsadmin ‘keyfile’ # chmod 600 ‘keyfile’ For Windows systems: Ask the DNS administrator for the directory location containing the private key files. Right click on the file and select Properties. Under the file properties, select the Security tab. Ensure the Administrator group has full control and the DNS user has read permission.

Additional Identifiers

Rule ID: SV-15523r2_rule

Vulnerability ID: V-14766

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.