STIGQter: STIG Summary: BIND 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

On the BIND 9.x server CNAME records must not point to a zone with lesser security for more than six months.

DISA Rule

SV-207600r612253_rule

Vulnerability Number

V-207600

Group Title

SRG-APP-000516-DNS-000114

Rule Version

BIND-9X-001701

Severity

CAT III

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

In the case of third-party CDNs or cloud offerings, document the mission need with the AO.

Edit the zone file.

Remove CNAME records that are older than six months that do not meet the CDN or cloud offering criteria.

Restart the BIND 9.x process.

Check Contents

Verify that the zone files used by the BIND 9.x server do not contain resource records for a domain in which the server is not authoritative.

Inspect the "named.conf" file for the following:

zone example.com {
file "db.example.com.signed";
};

Inspect each zone file for "CNAME" records and verify with the DNS administrator that these records are less than 6 months old.

The exceptions are glue records supporting zone delegations, CNAME records supporting a system migration, or CNAME records that point to third-party Content Delivery Networks (CDN) or cloud computing platforms. In the case of third-party CDNs or cloud offerings, an approved mission need must be demonstrated.

If there are CNAME records that point to third-party Content Delivery Networks (CDNs) or cloud computing platforms without an AO-approved and documented mission need, this is a finding.

If a CNAME record is more than six months old, excluding the above, this is a finding.

Vulnerability Number

V-207600

Documentable

False

Rule Version

BIND-9X-001701

Severity Override Guidance

Verify that the zone files used by the BIND 9.x server do not contain resource records for a domain in which the server is not authoritative.

Inspect the "named.conf" file for the following:

zone example.com {
file "db.example.com.signed";
};

Inspect each zone file for "CNAME" records and verify with the DNS administrator that these records are less than 6 months old.

The exceptions are glue records supporting zone delegations, CNAME records supporting a system migration, or CNAME records that point to third-party Content Delivery Networks (CDN) or cloud computing platforms. In the case of third-party CDNs or cloud offerings, an approved mission need must be demonstrated.

If there are CNAME records that point to third-party Content Delivery Networks (CDNs) or cloud computing platforms without an AO-approved and documented mission need, this is a finding.

If a CNAME record is more than six months old, excluding the above, this is a finding.

Check Content Reference

M

Target Key

2926

Comments