STIGQter: STIG Summary: BIND 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

The BIND 9.x server implementation must uniquely identify and authenticate the other DNS server before responding to a server-to-server transaction, zone transfer and/or dynamic update request using cryptographically based bidirectional authentication to protect the integrity of the information in transit.

DISA Rule

SV-207561r612253_rule

Vulnerability Number

V-207561

Group Title

SRG-APP-000158-DNS-000015

Rule Version

BIND-9X-001100

Severity

CAT I

CCI(s)

CCI-000778 - The information system uniquely identifies an organization-defined list of specific and/or types of devices before establishing a local, remote, or network connection.
CCI-002421 - The information system implements cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by organization-defined alternative physical safeguards.
CCI-001958 - The information system authenticates an organization-defined list of specific and/or types of devices before establishing a local, remote, or network connection.
CCI-001967 - The information system authenticates organization-defined devices and/or types of devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.
CCI-002039 - The organization requires devices to reauthenticate upon organization-defined circumstances or situations requiring reauthentication.
CCI-002418 - The information system protects the confidentiality and/or integrity of transmitted information.

Weight

Fix Recommendation

Configure the BIND 9.x server to use TSIG keys.

Add a key statement to the "named.conf" file for TSIG that is being used:

key tsig_example. {
algorithm hmac-SHA1;
include "tsig-example.key";
};

Add key statements to the allow-transfer statements on a master name server:

allow-transfer { key tsig_example.; };

Add key statements to the server statements on a secondary name server:

server <ip_address> {
keys { tsig_example };
};

Restart the BIND 9.x process.

Check Contents

If zone transfers are disabled with the "allow-transfer { none; };" directive, this is Not Applicable.
If the server is in a classified network, this is Not Applicable.

Verify that the BIND 9.x server is configured to uniquely identify a name server before responding to a zone transfer.

Inspect the "named.conf" file for the presence of TSIG key statements:

On the master name server, this is an example of a configured key statement:

key tsig_example. {
algorithm hmac-SHA1;
include "tsig-example.key";
};

zone "disa.mil" {
type master;
file "db.disa.mil";
allow-transfer { key tsig_example.; };
};

On the slave name server, this is an example of a configured key statement:

key tsig_example. {
algorithm hmac-SHA1;
include "tsig-example.key";
};

server <ip_address> {
keys { tsig_example };
};

zone "disa.mil" {
type slave;
masters { <ip_address>; };
file "db.disa.mil";
};

If a master name server does not have a key defined in the “allow-transfer” block, this is a finding.

If a secondary name server does not have a server statement that contains a "keys" sub statement, this is a finding.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments