STIGQter: STIG Summary: BIND 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

On the BIND 9.x server the private keys corresponding to both the ZSK and the KSK must not be kept on the BIND 9.x DNSSEC-aware primary authoritative name server when the name server does not support dynamic updates.

DISA Rule

SV-207572r612253_rule

Vulnerability Number

V-207572

Group Title

SRG-APP-000516-DNS-000112

Rule Version

BIND-9X-001134

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Remove any ZSK or KSK private key from any BIND 9.x server that does not support dynamic updates.

Note: Any ZSK or KSK that is not needed to support dynamic updates should be stored offline in a secure location.

Check Contents

If the server is in a classified network, this is Not Applicable.

Determine if the BIND 9.x server is configured to allow dynamic updates.

Review the "named.conf" file for any instance of the "allow-update" statement. The following example disables dynamic updates:

allow-update {none;};

If the BIND 9.x implementation is not configured to allow dynamic updates, verify with the SA that the private ZSKs and private KSKs are stored offline, if not, this is a finding.

Vulnerability Number

V-207572

Documentable

False

Rule Version

BIND-9X-001134

Severity Override Guidance

If the server is in a classified network, this is Not Applicable.

Determine if the BIND 9.x server is configured to allow dynamic updates.

Review the "named.conf" file for any instance of the "allow-update" statement. The following example disables dynamic updates:

allow-update {none;};

If the BIND 9.x implementation is not configured to allow dynamic updates, verify with the SA that the private ZSKs and private KSKs are stored offline, if not, this is a finding.

Check Content Reference

M

Target Key

2926

Comments