The BIND 9.x server implementation must use separate TSIG key-pairs when securing server-to-server transactions.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-272421 | BIND-9X-001700 | SV-272421r1124019_rule | CCI-000778 | medium |
| Description | ||||
| Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. This applies to server-to-server (zone transfer) transactions only and is provided by TSIG/SIG(0), which enforces mutual server authentication using a key that is unique to each server pair (TSIG) or using PKI-based authentication (SIG[0]), thus uniquely identifying the other server. | ||||
| STIG | Date | |||
| BIND 9.x Security Technical Implementation Guide | 2026-02-25 | |||
Details
Check Text (C-272421r1124019_chk)
Verify that the BIND 9.x server is configured to use separate TSIG key-pairs when securing server-to-server transactions.
Inspect the "named.conf" file for the presence of TSIG key statements:
On the primary name server, this is an example of a configured key statement:
key tsig_example. {
algorithm hmac-SHA256;
include "tsig-example.key";
};
zone "disa.mil" {
type Primary;
file "db.disa.mil";
allow-transfer { key tsig_example.; };
};
On the secondary name server, this is an example of a configured key statement:
key tsig_example. {
algorithm hmac-SHA256;
include "tsig-example.key";
};
server <ip_address> {
keys { tsig_example };
};
zone "disa.mil" {
type Secondary;
Primarys { <ip_address>; };
file "db.disa.mil";
};
Verify that each TSIG key-pair listed is only used by a single key statement:
# cat <tsig_key_file>
If any TSIG key-pair is being used by more than one key statement, this is a finding.
Fix Text (F-76378r1123575_fix)
Create a separate TSIG key-pair for each key statement listed in the named.conf file.
Configure the name server to use separate TSIG key-pairs for each key statement listed in the named.conf file.
Restart the BIND 9.x process.