Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The DNSSEC key signing key does not have a minimum roll over period of one year.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-14762 | DNS4670 | SV-15519r2_rule | ECSC-1 | Low |
| Description |
|---|
| A good practice is to generate an extra set of key signing keys for rollover purposes. The additional key will be readily available for emergency situations such as key compromise. The key signing key should be rolled over on an annual basis. |
| STIG | Date |
|---|---|
| BIND DNS STIG | 2015-01-05 |
Details
| Check Text ( C-43444r2_chk ) |
|---|
| This rule is only applicable to DNS servers using DNSSEC. If DNSSEC is not enabled, then this is N/A. BIND on UNIX Instruction: Ask the DNS administrator for the location of the private key file for the KSK generated from the output of the dnssec-keygen command. Perform the following: # ls –la ‘private_key_file’ # date If the date returned compared to the date on the file is greater than a year, then this is a finding. BIND on Windows Instruction: Ask the DNS administrator for the location of the private key file for the KSK generated from the output of the dnssec-keygen command. Perform the following: Right click on the file and select Properties. Select the General tab and view Created: row which displays the date of creation. Check the date of the machine in the lower right hand corner of the display. Compare the dates; if the difference is greater than a year, then this is a finding. |
| Fix Text (F-14239r1_fix) |
|---|
| Generate new keys with the following command: # dnssec-keygen –n ZONE –a RSASHA1 –b 2048 example.com |