STIGQter: STIG Summary: BIND 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

The BIND 9.x server private key corresponding to the ZSK pair must be the only DNSSEC key kept on a name server that supports dynamic updates.

DISA Rule

SV-207571r612253_rule

Vulnerability Number

V-207571

Group Title

SRG-APP-000176-DNS-000094

Rule Version

BIND-9X-001133

Severity

CAT I

CCI(s)

• CCI-000186 - The information system, for PKI-based authentication, enforces authorized access to the corresponding private key.

Weight

10

Fix Recommendation

Remove any ZSK private keys existing on the server other than the one corresponding to the active ZSK pair

Check Contents

If the server is in a classified network, this is Not Applicable.

Determine if the BIND 9.x server is configured to allow dynamic updates.

Review the "named.conf" file for any instance of the "allow-update" statement. The following example disables dynamic updates:

allow-update {none;};

If the BIND 9.x implementation is not configured to allow dynamic updates, verify with the SA that the ZSK private key is stored offline. If it is not, this is a finding.

If the BIND 9.x implementation is configured to allow dynamic updates, verify that the ZSK private key is the only key stored on the name server.

For each signed zone file, identify the ZSK "key id" number:

# cat <signed_zone_file> | grep -i "zsk"
ZSK; alg = ECDSAP256SHA256; key id = 22335

Using the ZSK "key id", verify that the only private key stored on the system matches the "key id"

Kexample.com.+008+22335.private

If any ZSK private keys exist on the server other than the one corresponding to the active ZSK pair, this is a finding.

Vulnerability Number

V-207571

Documentable

False

Rule Version

BIND-9X-001133

Severity Override Guidance

If the server is in a classified network, this is Not Applicable.

Determine if the BIND 9.x server is configured to allow dynamic updates.

Review the "named.conf" file for any instance of the "allow-update" statement. The following example disables dynamic updates:

allow-update {none;};

If the BIND 9.x implementation is not configured to allow dynamic updates, verify with the SA that the ZSK private key is stored offline. If it is not, this is a finding.

If the BIND 9.x implementation is configured to allow dynamic updates, verify that the ZSK private key is the only key stored on the name server.

For each signed zone file, identify the ZSK "key id" number:

# cat <signed_zone_file> | grep -i "zsk"
ZSK; alg = ECDSAP256SHA256; key id = 22335

Using the ZSK "key id", verify that the only private key stored on the system matches the "key id"

Kexample.com.+008+22335.private

If any ZSK private keys exist on the server other than the one corresponding to the active ZSK pair, this is a finding.

Check Content Reference

M

Target Key

2926

Comments