STIGQter: STIG Summary: BIND 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

A BIND 9.x server NSEC3 must be used for all internal DNS zones.

DISA Rule

SV-207593r612253_rule

Vulnerability Number

V-207593

Group Title

SRG-APP-000516-DNS-000084

Rule Version

BIND-9X-001610

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Resign each zone that is missing NSEC records.

Restart the BIND 9.x process.

Check Contents

If the server is in a classified network, this is Not Applicable. If the server is on an internal, restricted network with reserved IP space, this is Not Applicable.


With the assistance of the DNS Administrator, identify each internal DNS zone listed in the "named.conf" file.

For each internal zone identified, inspect the signed zone file for the NSEC resource records:

86400 NSEC example.com. A RRSIG NSEC

If the zone file does not contain an NSEC record for the zone, this is a finding.

Vulnerability Number

V-207593

Documentable

False

Rule Version

BIND-9X-001610

Severity Override Guidance

If the server is in a classified network, this is Not Applicable. If the server is on an internal, restricted network with reserved IP space, this is Not Applicable.


With the assistance of the DNS Administrator, identify each internal DNS zone listed in the "named.conf" file.

For each internal zone identified, inspect the signed zone file for the NSEC resource records:

86400 NSEC example.com. A RRSIG NSEC

If the zone file does not contain an NSEC record for the zone, this is a finding.

Check Content Reference

M

Target Key

2926

Comments