On a BIND 9.x server all root name servers listed in the local root zone file hosted on a BIND 9.x authoritative name server must be valid for that zone.

From BIND 9.x Security Technical Implementation Guide

Part of SRG-APP-000516-DNS-000102

Associated with: CCI-000366

SV-87135r1_rule On a BIND 9.x server all root name servers listed in the local root zone file hosted on a BIND 9.x authoritative name server must be valid for that zone.

Vulnerability discussion

All caching name servers must be authoritative for the root zone because, without this starting point, they would have no knowledge of the DNS infrastructure and thus would be unable to respond to any queries. The security risk is that an adversary could change the root hints and direct the caching name server to a bogus root server. At that point, every query response from that name server is suspect, which would give the adversary substantial control over the network communication of the name servers' clients.

Check content

If this is an authoritative name server, this is Not Applicable. Identify the local root zone file in named.conf: zone "." IN { type hint; file "" }; Examine the local root zone file. If the local root zone file lists domains outside of the name server’s primary domain, this is a finding.

Fix text

Edit the local root zone file. Remove any reference to a domain that is outside of the name server’s primary domain. Restart the BIND 9.x process.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer