STIGQter: STIG Summary: BIND 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

On a BIND 9.x server all root name servers listed in the local root zone file hosted on a BIND 9.x authoritative name server must be empty or removed.

DISA Rule

SV-207598r612253_rule

Vulnerability Number

V-207598

Group Title

SRG-APP-000516-DNS-000102

Rule Version

BIND-9X-001621

Severity

CAT III

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Remove the local root zone file from the name server.

Check Contents

If this server is a caching name server, this is Not Applicable.

Ensure there is not a local root zone on the name server.

Inspect the "named.conf" file for the following:

zone "." IN {
type hint;
file "<file_name>"
};

If the file name identified is not empty or does exist, this is a finding.

Vulnerability Number

V-207598

Documentable

False

Rule Version

BIND-9X-001621

Severity Override Guidance

If this server is a caching name server, this is Not Applicable.

Ensure there is not a local root zone on the name server.

Inspect the "named.conf" file for the following:

zone "." IN {
type hint;
file "<file_name>"
};

If the file name identified is not empty or does exist, this is a finding.

Check Content Reference

M

Target Key

2926

Comments