STIGQter STIGQter: STIG Summary: BIND 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

A BIND 9.x server implementation must maintain the integrity and confidentiality of DNS information while it is being prepared for transmission, in transmission, and in use and t must perform integrity verification and data origin verification for all DNS information.

DISA Rule

SV-207577r612253_rule

Vulnerability Number

V-207577

Group Title

SRG-APP-000213-DNS-000024

Rule Version

BIND-9X-001200

Severity

CAT I

CCI(s)

Weight

10

Fix Recommendation

Set the "dnssec-enable" option to yes.

Sign each zone file that the name server is responsible for.

Configure each zone the name server is responsible for to use a DNSSEC signed zone.

Check Contents

If the server is in a classified network, this is Not Applicable.
If the server is forwarding all queries to the ERS, this is Not Applicable as the ERS validates.

Verify that DNSSEC is enabled.

Inspect the "named.conf" file for the following:

dnssec-enable yes;

If "dnssec-enable" does not exist or is not set to "yes", this is a finding.

Verify that each zone on the name server has been signed.

Identify each zone file that the name sever is responsible for and search each file for the "DNSKEY" entries:

# less <signed_zone_file>
86400 DNSKEY 257 3 8 ( HASHED_KEY ) ; KSK; alg = ECDSAP256SHA256; key id = 31225
86400 DNSKEY 256 3 8 ( HASHED_KEY ) ; ZSK; alg = ECDSAP256SHA256; key id = 52179

Ensure that there are separate "DNSKEY" entries for the "KSK" and the "ZSK"

If the "DNSKEY" entries are missing, the zone file is not signed.
If the zone files are not signed, this is a finding.

Vulnerability Number

V-207577

Documentable

False

Rule Version

BIND-9X-001200

Severity Override Guidance

If the server is in a classified network, this is Not Applicable.
If the server is forwarding all queries to the ERS, this is Not Applicable as the ERS validates.

Verify that DNSSEC is enabled.

Inspect the "named.conf" file for the following:

dnssec-enable yes;

If "dnssec-enable" does not exist or is not set to "yes", this is a finding.

Verify that each zone on the name server has been signed.

Identify each zone file that the name sever is responsible for and search each file for the "DNSKEY" entries:

# less <signed_zone_file>
86400 DNSKEY 257 3 8 ( HASHED_KEY ) ; KSK; alg = ECDSAP256SHA256; key id = 31225
86400 DNSKEY 256 3 8 ( HASHED_KEY ) ; ZSK; alg = ECDSAP256SHA256; key id = 52179

Ensure that there are separate "DNSKEY" entries for the "KSK" and the "ZSK"

If the "DNSKEY" entries are missing, the zone file is not signed.
If the zone files are not signed, this is a finding.

Check Content Reference

M

Target Key

2926

Comments