Check: SRG-APP-000176-DNS-000096
Domain Name System (DNS) SRG:
SRG-APP-000176-DNS-000096
(in versions v4 r1 through v2 r4)
Title
Signature generation using the KSK must be done off-line, using the KSK-private stored off-line. (Cat II impact)
Discussion
Security-relevant information is any information within information systems that can potentially impact the operation of security functions or the provision of security services in a manner that could result in failure to enforce system security policies or maintain the isolation of code and data. Security-relevant information includes, for example, file permissions, cryptographic key management information, configuration parameters for security services, and access control lists. Secure, non-operable system states include the times in which information systems are not performing mission/business-related processing (e.g., the system is off-line for maintenance, troubleshooting, boot-up, and shut down).
Check Content
Verify the DNS operational procedures and confirm procedures exist to enforce generating signatures using the KSK are performed off-line, using the KSK-private stored off-line or the secure, protected module. If the procedures do not exist or the procedures do not specify to perform the signature generation off-line from the name server, this is a finding.
Fix Text
Create operation documentation to include the safe management of keys and key storage within the DNS implementation. Include in the documentation steps to ensure signature generation using the KSK are done off-line, using the KSK-private stored off-line or the secure, protected module.
Additional Identifiers
Rule ID: SV-205174r961041_rule
Vulnerability ID: V-205174
Group Title: SRG-APP-000176
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000186 |
For public key-based authentication, enforce authorized access to the corresponding private key. |
Controls
Number | Title |
---|---|
IA-5(2) |
Pki-based Authentication |