Title

The DNSSEC key signing key is not at least 2048 bits. (Cat III impact)

Discussion

The choice of key size is a tradeoff between the risk of key compromise and performance. The performance variables are signature generation and verification times. The size of the DNS response packet also is a factor because DNSKEY RRs may be sent in the additional section of the DNS response. Because the KSK is used only for signing the key set (DNSKEY RRSet), performance is not much of an issue. Compromise of a KSK could have a great impact, however, because the KSK is the entry point key for a zone. Rollover of a KSK in the event of a compromise involves potential update of trust anchors in many validating resolvers. Hence, a large key size is recommended for the KSK. A large key size decreases the chances of the key compromise and avoids the need for frequent rollovers as each rollover requires administrative monitoring and follow-up action.

Check Content

This rule is only applicable to DNS servers using DNSSEC. If DNSSEC is not enabled, then this is N/A. Instruction: Examine the public key record type DNSKEY in the zone file. The actual key contained in the file utilizing the RSA algorithm and a key size of 2048 bits will contain 351 characters. If the key does not appear to contain at 351 characters, then this is a finding.

Fix Text

Generate a new key pair and update the DNSKEY record with the following: # dnssec-keygen –n ZONE –a RSA –b 2048 example.com

Additional Identifiers

Rule ID: SV-15518r2_rule

Vulnerability ID: V-14761

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.