STIGQter: STIG Summary: BIND 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

The BIND 9.X implementation must not utilize a TSIG or DNSSEC key for more than one year.

DISA Rule

SV-207566r612253_rule

Vulnerability Number

V-207566

Group Title

SRG-APP-000516-DNS-000500

Rule Version

BIND-9X-001113

Severity

CAT II

CCI(s)

CCI-000366 - The organization implements the security configuration settings.

Weight

Fix Recommendation

Generate new DNSSEC and TSIG keys.

For DNSSEC keys:

Use the newly generated keys to resign all of the zone files on the name server.

For TSIG keys:

Update the named.conf file with the new keys.

Restart the BIND 9.X process.

Check Contents

With the assistance of the DNS Administrator, identify all of the cryptographic key files used by the BIND 9.x implementation.

With the assistance of the DNS Administrator, determine the location of the cryptographic key files used by the BIND 9.x implementation.

# ls –al <Crypto_Key_Location>
-rw-------. 1 named named 76 May 10 20:35 crypto-example.key

If the server is in a classified network, the DNSSEC portion of the requirement is Not Applicable.

For DNSSEC Keys:
Verify that the “Created” date is less than one year from the date of inspection:

Note: The date format will be displayed in YYYYMMDDHHMMSS.

# cat <DNSSEC_Key_File> | grep -i “created”
Created: 20160704235959

If the “Created” date is more than one year old, this is a finding.

For TSIG Keys:

Verify with the ISSO/ISSM that the TSIG keys are less than one year old.

If a TSIG key is more than one year old, this is a finding.

The BIND 9.X implementation must not utilize a TSIG or DNSSEC key for more than one year.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments