STIGQter: STIG Summary: BIND 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

A BIND 9.x caching name server must implement DNSSEC validation to check all DNS queries for invalid input.

DISA Rule

SV-207558r612253_rule

Vulnerability Number

V-207558

Group Title

SRG-APP-000447-DNS-000068

Rule Version

BIND-9X-001060

Severity

CAT II

CCI(s)

• CCI-002754 - The information system behaves in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received.

Weight

10

Fix Recommendation

Enable DNSSEC validation on the name server.

Set the "dnssec-validation" sub statement in the global options block to "yes".
Set the “dnssec-enable” to “yes”.

Configure the "managed-keys" statement to use the root domains trust anchor.

Restart the BIND 9.x process.

Check Contents

If the server is not a caching name server, this is Not Applicable.

If the server is in a classified network, this is Not Applicable.

If the caching name server is only forwarding to the DISA ERS for query resolution and is not authoritative for any zones, DNSSEC awareness is not required since the ERS is validating.
Verify the server is configured to use DNSSEC validation for all DNS queries.

Inspect the "named.conf" file for the following:

options {
dnssec-validation yes;
dnssec-enable yes; (this requirement is enforced with BIND-9X-001200.
};
managed-keys { "." initial-key 257 3 8 "<root-trust-anchor-data>"; };

If "dnssec-enable" is not set to "yes" or is missing, this is a finding.

If "dnssec-validation" is not set to "yes" or is missing, this is a finding.

If the "managed-keys" statement is missing, this is a finding.

Note: The <root-trust-anchor-data> should be replaced with the actual trust anchor.

Vulnerability Number

V-207558

Documentable

False

Rule Version

BIND-9X-001060

Severity Override Guidance

If the server is not a caching name server, this is Not Applicable.

If the server is in a classified network, this is Not Applicable.

If the caching name server is only forwarding to the DISA ERS for query resolution and is not authoritative for any zones, DNSSEC awareness is not required since the ERS is validating.
Verify the server is configured to use DNSSEC validation for all DNS queries.

Inspect the "named.conf" file for the following:

options {
dnssec-validation yes;
dnssec-enable yes; (this requirement is enforced with BIND-9X-001200.
};
managed-keys { "." initial-key 257 3 8 "<root-trust-anchor-data>"; };

If "dnssec-enable" is not set to "yes" or is missing, this is a finding.

If "dnssec-validation" is not set to "yes" or is missing, this is a finding.

If the "managed-keys" statement is missing, this is a finding.

Note: The <root-trust-anchor-data> should be replaced with the actual trust anchor.

Check Content Reference

M

Target Key

2926

Comments