The DNSSEC algorithm for digital signatures is not RSASHA1.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-14760 | DNS4650 | SV-15517r3_rule | ECSC-1 | Low |
| Description |
|---|
| Due to its wide availability and performance, RSASHA1 is the preferred algorithm for zone signatures. |
| STIG | Date |
|---|---|
| BIND DNS | 2011-01-20 |
Details
| Check Text ( C-12983r2_chk ) |
|---|
| BIND Instruction: Examine the DNSKEY record in the zone file. The seventh field will contain a number representing the algorithm used to generate the key. If this number is not a five, then this is a finding. Here is an example: example.com. 86400 IN DNSKEY 256 3 5 aghaghnl;knatnjkga;agn;g’a |
| Fix Text (F-14237r2_fix) |
|---|
| Generate a new key pair and update the DNSKEY record with the following: # dnssec-keygen –n ZONE –a RSASHA1 –b 2048 example.com |