A BIND 9.x server implementation must maintain the integrity and confidentiality of DNS information while it is being prepared for transmission, in transmission, and in use and t must perform integrity verification and data origin verification for all DNS information.
DISA Rule
SV-207577r612253_rule
Vulnerability Number
V-207577
Group Title
SRG-APP-000213-DNS-000024
Rule Version
BIND-9X-001200
Severity
CAT I
CCI(s)
- CCI-002462 - The information system provides additional data integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries.
- CCI-002463 - The information system provides data origin artifacts for internal name/address resolution queries.
- CCI-002464 - The information system provides data integrity protection artifacts for internal name/address resolution queries.
- CCI-002465 - The information system requests data origin authentication verification on the name/address resolution responses the system receives from authoritative sources.
- CCI-002466 - The information system requests data integrity verification on the name/address resolution responses the system receives from authoritative sources.
- CCI-002467 - The information system performs data integrity verification on the name/address resolution responses the system receives from authoritative sources.
- CCI-002468 - The information system performs data origin verification authentication on the name/address resolution responses the system receives from authoritative sources.
- CCI-002420 - The information system maintains the confidentiality and/or integrity of information during preparation for transmission.
- CCI-002422 - The information system maintains the confidentiality and/or integrity of information during reception.
- CCI-001184 - The information system protects the authenticity of communications sessions.
- CCI-001663 - The information system, when operating as part of a distributed, hierarchical namespace, provides the means to enable verification of a chain of trust among parent and child domains (if the child supports secure resolution services).
- CCI-001901 - The information system binds the identity of the information producer with the information to an organization-defined strength of binding.
- CCI-001902 - The information system provides the means for authorized individuals to determine the identity of the producer of the information.
- CCI-001904 - The information system validates the binding of the information producer identity to the information at an organization-defined frequency.
- CCI-001178 - The information system provides additional data origin authentication artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries.
Weight
10
Fix Recommendation
Set the "dnssec-enable" option to yes.
Sign each zone file that the name server is responsible for.
Configure each zone the name server is responsible for to use a DNSSEC signed zone.
Check Contents
If the server is in a classified network, this is Not Applicable.
If the server is forwarding all queries to the ERS, this is Not Applicable as the ERS validates.
Verify that DNSSEC is enabled.
Inspect the "named.conf" file for the following:
dnssec-enable yes;
If "dnssec-enable" does not exist or is not set to "yes", this is a finding.
Verify that each zone on the name server has been signed.
Identify each zone file that the name sever is responsible for and search each file for the "DNSKEY" entries:
# less <signed_zone_file>
86400 DNSKEY 257 3 8 ( HASHED_KEY ) ; KSK; alg = ECDSAP256SHA256; key id = 31225
86400 DNSKEY 256 3 8 ( HASHED_KEY ) ; ZSK; alg = ECDSAP256SHA256; key id = 52179
Ensure that there are separate "DNSKEY" entries for the "KSK" and the "ZSK"
If the "DNSKEY" entries are missing, the zone file is not signed.
If the zone files are not signed, this is a finding.
Vulnerability Number
V-207577
Documentable
False
Rule Version
BIND-9X-001200
Severity Override Guidance
If the server is in a classified network, this is Not Applicable.
If the server is forwarding all queries to the ERS, this is Not Applicable as the ERS validates.
Verify that DNSSEC is enabled.
Inspect the "named.conf" file for the following:
dnssec-enable yes;
If "dnssec-enable" does not exist or is not set to "yes", this is a finding.
Verify that each zone on the name server has been signed.
Identify each zone file that the name sever is responsible for and search each file for the "DNSKEY" entries:
# less <signed_zone_file>
86400 DNSKEY 257 3 8 ( HASHED_KEY ) ; KSK; alg = ECDSAP256SHA256; key id = 31225
86400 DNSKEY 256 3 8 ( HASHED_KEY ) ; ZSK; alg = ECDSAP256SHA256; key id = 52179
Ensure that there are separate "DNSKEY" entries for the "KSK" and the "ZSK"
If the "DNSKEY" entries are missing, the zone file is not signed.
If the zone files are not signed, this is a finding.
Check Content Reference
M
Target Key
2926
Comments
STIGQter: STIG Summary: BIND 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021: