STIGQter: STIG Summary: BIND 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

A BIND 9.x server must implement NIST FIPS-validated cryptography for provisioning digital signatures and generating cryptographic hashes.

DISA Rule

SV-207567r612253_rule

Vulnerability Number

V-207567

Group Title

SRG-APP-000514-DNS-000075

Rule Version

BIND-9X-001120

Severity

CAT I

CCI(s)

• CCI-002450 - The information system implements organization-defined cryptographic uses and type of cryptography required for each use in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

Weight

10

Fix Recommendation

Create new DNSSEC and TSIG keys using a FIPS 180-3 approved cryptographic algorithm that meets or exceeds the strength of SHA256

Check Contents

Verify that the DNSSEC and TSIG keys used by the BIND 9.x implementation are FIPS 180-3 compliant.

If the server is in a classified network, the DNSSEC portion of the requirement is Not Applicable.
DNSSEC KEYS:

Inspect the "named.conf" file and identify all of the DNSSEC signed zone files:

zone "example.com" {
file "signed_zone_file";
};

For each signed zone file identified, inspect the file for the "DNSKEY" records:

86400 DNSKEY 257 3 8 (
<KEY HASH>
) ; KSK;
86400 DNSKEY 256 3 8 (
<KEY HASH>
) ; ZSK;

The fifth field in the above example identifies what algorithm was used to create the DNSKEY.

If the fifth field the KSK DNSKEY is less than “8” (SHA256), this is a finding.

If the algorithm used to create the ZSK is less than “8” (SHA256), this is a finding.

TSIG KEYS:

Inspect the "named.conf" file and identify all of the TSIG key statements:

key tsig_example. {
algorithm hmac-SHA256;
include "tsig-example.key";
};

If each key statement does not use "hmac-SHA256" or a stronger algorithm, this is a finding.

Vulnerability Number

V-207567

Documentable

False

Rule Version

BIND-9X-001120

Severity Override Guidance

Verify that the DNSSEC and TSIG keys used by the BIND 9.x implementation are FIPS 180-3 compliant.

If the server is in a classified network, the DNSSEC portion of the requirement is Not Applicable.
DNSSEC KEYS:

Inspect the "named.conf" file and identify all of the DNSSEC signed zone files:

zone "example.com" {
file "signed_zone_file";
};

For each signed zone file identified, inspect the file for the "DNSKEY" records:

86400 DNSKEY 257 3 8 (
<KEY HASH>
) ; KSK;
86400 DNSKEY 256 3 8 (
<KEY HASH>
) ; ZSK;

The fifth field in the above example identifies what algorithm was used to create the DNSKEY.

If the fifth field the KSK DNSKEY is less than “8” (SHA256), this is a finding.

If the algorithm used to create the ZSK is less than “8” (SHA256), this is a finding.

TSIG KEYS:

Inspect the "named.conf" file and identify all of the TSIG key statements:

key tsig_example. {
algorithm hmac-SHA256;
include "tsig-example.key";
};

If each key statement does not use "hmac-SHA256" or a stronger algorithm, this is a finding.

Check Content Reference

M

Target Key

2926

Comments