STIGQter: STIG Summary: BIND 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

A BIND 9.x server validity period for the RRSIGs covering a zones DNSKEY RRSet must be no less than two days and no more than one week.

DISA Rule

SV-207592r612253_rule

Vulnerability Number

V-207592

Group Title

SRG-APP-000516-DNS-000078

Rule Version

BIND-9X-001600

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Resign each zone that is outside of the validity period.

Restart the BIND 9.x process.

Check Contents

If the server is in a classified network, this is Not Applicable.

With the assistance of the DNS Administrator, identify the RRSIGs that cover the DNSKEY resource record set for each zone.

Each record will list an expiration and inception date, the difference of which will provide the validity period.

The dates are listed in the following format:

YYYYMMDDHHMMSS

For each RRSIG identified, verify that the validity period is no less than two days and is no longer than seven days.

If the validity period is outside of the specified range, this is a finding.

Vulnerability Number

V-207592

Documentable

False

Rule Version

BIND-9X-001600

Severity Override Guidance

If the server is in a classified network, this is Not Applicable.

With the assistance of the DNS Administrator, identify the RRSIGs that cover the DNSKEY resource record set for each zone.

Each record will list an expiration and inception date, the difference of which will provide the validity period.

The dates are listed in the following format:

YYYYMMDDHHMMSS

For each RRSIG identified, verify that the validity period is no less than two days and is no longer than seven days.

If the validity period is outside of the specified range, this is a finding.

Check Content Reference

M

Target Key

2926

Comments