The BIND 9.x server implementation must utilize separate TSIG key-pairs when securing server-to-server transactions.

From BIND 9.x Security Technical Implementation Guide

Part of SRG-APP-000158-DNS-000015

Associated with: CCI-000778

SV-87055r1_rule The BIND 9.x server implementation must utilize separate TSIG key-pairs when securing server-to-server transactions.

Vulnerability discussion

Server-to-server (zone transfer) transactions are provided by TSIG, which enforces mutual server authentication using a key that is unique to each server pair (TSIG), thus uniquely identifying the other server.Enforcing separate TSIG key-pairs provides another layer of protection for the BIND implementation in the event that a TSIG key is compromised. This additional layer of security provides the DNS administrators with the ability to change a compromised TSIG key with a minimal disruption to DNS operations.Failure to identify devices and authenticate devices can lead to malicious activity, such as a Man-In-The-Middle attack where an attacker could pose as an authorized name server, and redirect legitimate customers to malicious websites. A failure on this part could also lead to a Denial of Service of any and all DNS services provided to an organizations network infrastructure.

Check content

Verify that the BIND 9.x server is configured to utilize separate TSIG key-pairs when securing server-to-server transactions. Inspect the "named.conf" file for the presence of TSIG key statements: On the master name server, this is an example of a configured key statement: key tsig_example. { algorithm hmac-SHA1; include "tsig-example.key"; }; zone "disa.mil" { type master; file "db.disa.mil"; allow-transfer { key tsig_example.; }; }; On the slave name server, this is an example of a configured key statement: key tsig_example. { algorithm hmac-SHA1; include "tsig-example.key"; }; server { keys { tsig_example }; }; zone "disa.mil" { type slave; masters { ; }; file "db.disa.mil"; }; Verify that each TSIG key-pair listed is only used by a single key statement: # cat If any TSIG key-pair is being used by more than one key statement, this is a finding.

Fix text

Create a separate TSIG key-pair for each key statement listed in the named.conf file. Configure the name server to utilize separate TSIG key-pairs for each key statement listed in the named.conf file. Restart the BIND 9.x process.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer