STIGQter: STIG Summary: BIND 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

A BIND 9.x server implementation must provide the means to indicate the security status of child zones.

DISA Rule

SV-207578r612253_rule

Vulnerability Number

V-207578

Group Title

SRG-APP-000214-DNS-000025

Rule Version

BIND-9X-001310

Severity

CAT II

CCI(s)

• CCI-001179 - The information system, when operating as part of a distributed, hierarchical namespace, provides the means to indicate the security status of child zones.

Weight

10

Fix Recommendation

Sign each child zone. During the zone signing process, ensure that a DS record is created and is stored on the Parent zone name server.

Check Contents

If the server is in a classified network, this is Not Applicable.

Verify that there is a DS record set for each child zone defined in "/etc/named.conf" file.

For each child zone listed in "/etc/named.conf" file, verify there is a corresponding "dsset-zone_name" file.

If any child zone does not have a corresponding DS record set, this is a finding.

Vulnerability Number

V-207578

Documentable

False

Rule Version

BIND-9X-001310

Severity Override Guidance

If the server is in a classified network, this is Not Applicable.

Verify that there is a DS record set for each child zone defined in "/etc/named.conf" file.

For each child zone listed in "/etc/named.conf" file, verify there is a corresponding "dsset-zone_name" file.

If any child zone does not have a corresponding DS record set, this is a finding.

Check Content Reference

M

Target Key

2926

Comments