The TSIG keys used with the BIND 9.x implementation must be owned by a privileged account.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-272377 | BIND-9X-001200 | SV-272377r1123862_rule | CCI-000186 | medium |
| Description | ||||
| Incorrect ownership of a TSIG key file could allow an adversary to modify the file, thus defeating the security objective. | ||||
| STIG | Date | |||
| BIND 9.x Security Technical Implementation Guide | 2026-02-25 | |||
Details
Check Text (C-272377r1123862_chk)
With the assistance of the DNS administrator, identify all of the TSIG keys used by the BIND 9.x implementation.
Identify the account that the "named" process is running as:
# ps -ef | grep named
named 3015 1 0 12:59 ? 00:00:00 /usr/sbin/named -u named -t /var/named/chroot
With the assistance of the DNS administrator, determine the location of the TSIG keys used by the BIND 9.x implementation.
# ls -al <TSIG_Key_Location>
-rw-r-----. 1 root named 76 May 10 20:35 tsig-example.key
If any of the TSIG keys are not owned by the above account, this is a finding.
Fix Text (F-76334r1123443_fix)
Change the ownership of the TSIG keys to the named process it is running as.
# chown <named_proccess_owner> <TSIG_key_file>.