The DNSSEC algorithm for digital signatures must be RSASHA1, RSASHA256, or RSASHA512.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-14760	DNS4650	SV-15517r3_rule	ECSC-1	Low

Description
MD5 is not collision resistant; therefore, RSAMD5 is not permitted for use in DNSSEC. RSASHA1 is the minimum algorithm for zone signatures. SHA2-based algorithms RSASHA256 and RSASHA512 offer greater security and are preferred over RSASHA1.

STIG	Date
BIND DNS STIG	2015-01-05

Details

Check Text ( C-47003r1_chk )
This rule is only applicable to DNS servers using DNSSEC. If DNSSEC is not enabled, then this is N/A. Instruction: Examine the DNSKEY record in the zone file. The seventh field will contain a number representing the algorithm used to generate the key. Here is an example: example.com. 86400 IN DNSKEY 256 3 5 aghaghnl;knatnjkga;agn;g’a If this number is not a five, eight, or ten, then this is a finding.

Check Text ( C-47003r1_chk )

This rule is only applicable to DNS servers using DNSSEC.
If DNSSEC is not enabled, then this is N/A.

Instruction: Examine the DNSKEY record in the zone file. The seventh field will contain a number representing the algorithm used to generate the key.

Here is an example:

example.com. 86400 IN DNSKEY 256 3 5 aghaghnl;knatnjkga;agn;g’a

If this number is not a five, eight, or ten, then this is a finding.

Fix Text (F-14237r1_fix)
Generate a new key pair and update the DNSKEY record with the following: # dnssec-keygen –n ZONE –a RSASHA1 –b 2048 example.com