STIGQter: STIG Summary: BIND 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

Permissions assigned to the dnssec-keygen keys used with the BIND 9.x implementation must enforce read-only access to the key owner and deny access to all other users.

DISA Rule

SV-207575r612253_rule

Vulnerability Number

V-207575

Group Title

SRG-APP-000516-DNS-000086

Rule Version

BIND-9X-001142

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Change the permissions of the dnssec-keygen key files:

# chmod 400 <key_file>

Check Contents

If the server is in a classified network, this is Not Applicable.

With the assistance of the DNS Administrator, identify all dnssec-keygen key files that reside on the BIND 9.x server.

An example dnssec-keygen key file will look like:

Kns1.example.com_ns2.example.com.+161+28823.key
OR
Kns1.example.com_ns2.example.com.+161+28823.private

For each key file identified, verify that the key file is owned by "root":

# ls -al
-r-------- 1 root root 77 Jul 1 15:00 Kns1.example.com_ns2.example.com+161+28823.key

If the key files are more permissive than 400, this is a finding.

Vulnerability Number

V-207575

Documentable

False

Rule Version

BIND-9X-001142

Severity Override Guidance

If the server is in a classified network, this is Not Applicable.

With the assistance of the DNS Administrator, identify all dnssec-keygen key files that reside on the BIND 9.x server.

An example dnssec-keygen key file will look like:

Kns1.example.com_ns2.example.com.+161+28823.key
OR
Kns1.example.com_ns2.example.com.+161+28823.private

For each key file identified, verify that the key file is owned by "root":

# ls -al
-r-------- 1 root root 77 Jul 1 15:00 Kns1.example.com_ns2.example.com+161+28823.key

If the key files are more permissive than 400, this is a finding.

Check Content Reference

M

Target Key

2926

Comments