STIGQter STIGQter: STIG Summary: BIND 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

The BIND 9.x server signature generation using the KSK must be done off-line, using the KSK-private key stored off-line.

DISA Rule

SV-207576r612253_rule

Vulnerability Number

V-207576

Group Title

SRG-APP-000176-DNS-000096

Rule Version

BIND-9X-001150

Severity

CAT I

CCI(s)

Weight

10

Fix Recommendation

Remove all private KSKs from the name server and ensure that they are stored offline in a secure location.

Check Contents

If the server is in a classified network, this is Not Applicable.

Ensure that there are no private KSKs stored on the name sever.

With the assistance of the DNS Administrator, obtain a list of all DNSSEC private keys that are stored on the name server.

Inspect the signed zone files(s) and look for the KSK key id:

DNSKEY 257 3 8 ( <hash_algorithm) ; KSK ; alg = ECDSAP256SHA256; key id = 52807

Verify that none of the identified private keys, are KSKs.

An example private KSK would look like the following:

Kexample.com.+008+52807.private

If there are private KSKs stored on the name server, this is a finding.

Vulnerability Number

V-207576

Documentable

False

Rule Version

BIND-9X-001150

Severity Override Guidance

If the server is in a classified network, this is Not Applicable.

Ensure that there are no private KSKs stored on the name sever.

With the assistance of the DNS Administrator, obtain a list of all DNSSEC private keys that are stored on the name server.

Inspect the signed zone files(s) and look for the KSK key id:

DNSKEY 257 3 8 ( <hash_algorithm) ; KSK ; alg = ECDSAP256SHA256; key id = 52807

Verify that none of the identified private keys, are KSKs.

An example private KSK would look like the following:

Kexample.com.+008+52807.private

If there are private KSKs stored on the name server, this is a finding.

Check Content Reference

M

Target Key

2926

Comments