STIGQter: STIG Summary: BIND 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

The two files generated by the BIND 9.x server dnssec-keygen program must be owned by the root account, or deleted, after they have been copied to the key file in the name server.

DISA Rule

SV-207573r612253_rule

Vulnerability Number

V-207573

Group Title

SRG-APP-000516-DNS-000086

Rule Version

BIND-9X-001140

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Change the ownership of the keys to the root account.

# chown root <key_file>.

Check Contents

If the server is in a classified network, this is Not Applicable.

With the assistance of the DNS Administrator, identify all dnssec-keygen key files that reside on the BIND 9.x server.

An example dnssec-keygen key file will look like:

Kns1.example.com_ns2.example.com.+161+28823.key
OR
Kns1.example.com_ns2.example.com.+161+28823.private

For each key file identified, verify that the key file is owned by "root":

# ls -al
-r-------- 1 root root 77 Jul 1 15:00 Kns1.example.com_ns2.example.com+161+28823.key

If the key file(s) are not owned by root, this is a finding.

Vulnerability Number

V-207573

Documentable

False

Rule Version

BIND-9X-001140

Severity Override Guidance

If the server is in a classified network, this is Not Applicable.

With the assistance of the DNS Administrator, identify all dnssec-keygen key files that reside on the BIND 9.x server.

An example dnssec-keygen key file will look like:

Kns1.example.com_ns2.example.com.+161+28823.key
OR
Kns1.example.com_ns2.example.com.+161+28823.private

For each key file identified, verify that the key file is owned by "root":

# ls -al
-r-------- 1 root root 77 Jul 1 15:00 Kns1.example.com_ns2.example.com+161+28823.key

If the key file(s) are not owned by root, this is a finding.

Check Content Reference

M

Target Key

2926

Comments