STIGQter: STIG Summary: BIND 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

The BIND 9.x server validity period for the RRSIGs covering the DS RR for zones delegated children must be no less than two days and no more than one week.

DISA Rule

SV-207579r612253_rule

Vulnerability Number

V-207579

Group Title

SRG-APP-000214-DNS-000079

Rule Version

BIND-9X-001311

Severity

CAT II

CCI(s)

• CCI-001179 - The information system, when operating as part of a distributed, hierarchical namespace, provides the means to indicate the security status of child zones.

Weight

10

Fix Recommendation

Resign the child zone files and have the zone administrator provide updated DS resource records for the child zone.

Check Contents

If the server is in a classified network, this is Not Applicable.
Note: This requirement does not validate the sig-validity-interval. This requirement ensures the signature validity period (i.e., the time from the signature’s inception until the signature’s expiration). It is recommended to ensure the Start of Authority (SOA) expire period (how long a secondary will still treat its copy of the zone data as valid if it cannot contact the primary.) is configured to ensure the SOA does not expire during the period of signature inception and signature expiration.

With the assistance of the DNS Administrator, identify the RRSIGs that cover the DS resource records for each child zone.

Each record will list an expiration and inception date, the difference of which will provide the validity period.

The dates are listed in the following format:

YYYYMMDDHHMMSS

For each RRSIG identified, verify that the validity period is no less than two days and is no longer than seven days.

If the validity period is outside of the specified range, this is a finding.

Vulnerability Number

V-207579

Documentable

False

Rule Version

BIND-9X-001311

Severity Override Guidance

If the server is in a classified network, this is Not Applicable.
Note: This requirement does not validate the sig-validity-interval. This requirement ensures the signature validity period (i.e., the time from the signature’s inception until the signature’s expiration). It is recommended to ensure the Start of Authority (SOA) expire period (how long a secondary will still treat its copy of the zone data as valid if it cannot contact the primary.) is configured to ensure the SOA does not expire during the period of signature inception and signature expiration.

With the assistance of the DNS Administrator, identify the RRSIGs that cover the DS resource records for each child zone.

Each record will list an expiration and inception date, the difference of which will provide the validity period.

The dates are listed in the following format:

YYYYMMDDHHMMSS

For each RRSIG identified, verify that the validity period is no less than two days and is no longer than seven days.

If the validity period is outside of the specified range, this is a finding.

Check Content Reference

M

Target Key

2926

Comments