Title

The DNSSEC zone signing key size is not at least 1024 bits. (Cat III impact)

Discussion

As far as the choice of key size for the ZSK is concerned, performance certainly will be a factor because the ZSK is used for signing all RRsets in the zone. In terms of impact, however, it is restricted to just a single zone because the ZSKs usage is limited to signing RRsets only for that zone but not for providing authenticated delegation for a child zone. Hence, a key size smaller than that for the KSK can be used for the ZSK.

Check Content

This rule is only applicable to DNS servers using DNSSEC. If DNSSEC is not enabled, then this is N/A. BIND Instruction: Examine the public key record type DNSKEY in the zone file. The actual key contained in the file utilizing the RSA algorithm and key size of 1024 bits will contain 180 characters. If the key does not appear to contain at 180 characters, then this is a finding.

Fix Text

Generate a new key pair and update the DNSKEY record with the following: # dnssec-keygen –n ZONE –a RSA –b 1024 example.com

Additional Identifiers

Rule ID: SV-15521r2_rule

Vulnerability ID: V-14764

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.