STIGQter: STIG Summary: BIND 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

Permissions assigned to the DNSSEC keys used with the BIND 9.x implementation must enforce read-only access to the key owner and deny access to all other users.

DISA Rule

SV-207570r612253_rule

Vulnerability Number

V-207570

Group Title

SRG-APP-000231-DNS-000033

Rule Version

BIND-9X-001132

Severity

CAT II

CCI(s)

• CCI-001199 - The information system protects the confidentiality and/or integrity of organization-defined information at rest.

Weight

10

Fix Recommendation

Change the permissions of the DNSSEC key files:

# chmod 400 <DNSSEC_key_file>

Check Contents

If the server is in a classified network, this is Not Applicable.

Verify permissions assigned to the DNSSEC keys enforce read-only access to the key owner and deny access to group or system users:

With the assistance of the DNS Administrator, determine the location of the DNSSEC keys used by the BIND 9.x implementation:

# ls –al <DNSSEC_Key_Location>
-r--------. 1 named named 76 May 10 20:35 DNSSEC-example.key

If the key files are more permissive than 400, this is a finding.

Vulnerability Number

V-207570

Documentable

False

Rule Version

BIND-9X-001132

Severity Override Guidance

If the server is in a classified network, this is Not Applicable.

Verify permissions assigned to the DNSSEC keys enforce read-only access to the key owner and deny access to group or system users:

With the assistance of the DNS Administrator, determine the location of the DNSSEC keys used by the BIND 9.x implementation:

# ls –al <DNSSEC_Key_Location>
-r--------. 1 named named 76 May 10 20:35 DNSSEC-example.key

If the key files are more permissive than 400, this is a finding.

Check Content Reference

M

Target Key

2926

Comments