STIGQter: STIG Summary: BIND 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

The BIND 9.x server implementation must utilize separate TSIG key-pairs when securing server-to-server transactions.

DISA Rule

SV-207562r612253_rule

Vulnerability Number

V-207562

Group Title

SRG-APP-000158-DNS-000015

Rule Version

BIND-9X-001106

Severity

CAT II

CCI(s)

• CCI-000778 - The information system uniquely identifies an organization-defined list of specific and/or types of devices before establishing a local, remote, or network connection.

Weight

10

Fix Recommendation

Create a separate TSIG key-pair for each key statement listed in the named.conf file.

Configure the name server to utilize separate TSIG key-pairs for each key statement listed in the named.conf file.

Restart the BIND 9.x process.

Check Contents

Verify that the BIND 9.x server is configured to utilize separate TSIG key-pairs when securing server-to-server transactions.
Inspect the "named.conf" file for the presence of TSIG key statements:

On the master name server, this is an example of a configured key statement:

key tsig_example. {
algorithm hmac-SHA1;
include "tsig-example.key";
};

zone "disa.mil" {
type master;
file "db.disa.mil";
allow-transfer { key tsig_example.; };
};

On the slave name server, this is an example of a configured key statement:

key tsig_example. {
algorithm hmac-SHA1;
include "tsig-example.key";
};

server <ip_address> {
keys { tsig_example };
};

zone "disa.mil" {
type slave;
masters { <ip_address>; };
file "db.disa.mil";
};

Verify that each TSIG key-pair listed is only used by a single key statement:
# cat <tsig_key_file>

If any TSIG key-pair is being used by more than one key statement, this is a finding.

Vulnerability Number

V-207562

Documentable

False

Rule Version

BIND-9X-001106

Severity Override Guidance

Verify that the BIND 9.x server is configured to utilize separate TSIG key-pairs when securing server-to-server transactions.
Inspect the "named.conf" file for the presence of TSIG key statements:

On the master name server, this is an example of a configured key statement:

key tsig_example. {
algorithm hmac-SHA1;
include "tsig-example.key";
};

zone "disa.mil" {
type master;
file "db.disa.mil";
allow-transfer { key tsig_example.; };
};

On the slave name server, this is an example of a configured key statement:

key tsig_example. {
algorithm hmac-SHA1;
include "tsig-example.key";
};

server <ip_address> {
keys { tsig_example };
};

zone "disa.mil" {
type slave;
masters { <ip_address>; };
file "db.disa.mil";
};

Verify that each TSIG key-pair listed is only used by a single key statement:
# cat <tsig_key_file>

If any TSIG key-pair is being used by more than one key statement, this is a finding.

Check Content Reference

M

Target Key

2926

Comments