STIGQter: STIG Summary: Domain Name System (DNS) Security Requirements Guide Version: 2 Release: 4 Benchmark Date: 23 Oct 2015:

The two files generated by the dnssec-keygen program must be made accessible only to the server administrator account, or deleted, after they have been copied to the key file in the name server.

DISA Rule

SV-69171r1_rule

Vulnerability Number

V-54925

Group Title

SRG-APP-000516-DNS-000086

Rule Version

SRG-APP-000516-DNS-000086

Severity

CAT II

CCI(s)

CCI-000366 - The organization implements the security configuration settings.

Weight

Fix Recommendation

Configure permissions on the key files to only give access to the server administrator, or delete the key files altogether.

Destroy all paper copies of the key files.

Check Contents

Review the DNS implementation and documentation and confirm the permissions on the key files, which were generated by the dnssec-keygen program and copied to the name server, are only accessible to the server administrator or have been deleted.

Verify all paper copies of the key files have been destroyed.

If the key files have been deleted and all paper copies have been destroyed, this is not a finding.
If the key files have been deleted but the paper copies have not been destroyed, this is a finding.
If the key files still exist, and the permissions on the key files have not been configured to only allow the server administrator account access, this is a finding.

The two files generated by the dnssec-keygen program must be made accessible only to the server administrator account, or deleted, after they have been copied to the key file in the name server.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments