The BIND 9.x server implementation must utilize separate TSIG key-pairs when securing server-to-server transactions.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-207562 | BIND-9X-001106 | SV-207562r879599_rule | CCI-000778 | medium |
| Description | ||||
| Server-to-server (zone transfer) transactions are provided by TSIG, which enforces mutual server authentication using a key that is unique to each server pair (TSIG), thus uniquely identifying the other server. Enforcing separate TSIG key-pairs provides another layer of protection for the BIND implementation in the event that a TSIG key is compromised. This additional layer of security provides the DNS administrators with the ability to change a compromised TSIG key with a minimal disruption to DNS operations. Failure to identify devices and authenticate devices can lead to malicious activity, such as a Man-In-The-Middle attack where an attacker could pose as an authorized name server, and redirect legitimate customers to malicious websites. A failure on this part could also lead to a Denial of Service of any and all DNS services provided to an organizations network infrastructure. | ||||
| STIG | Date | |||
| BIND 9.x Security Technical Implementation Guide | 2024-02-15 | |||
Related Frameworks
4 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
IA-3
1.00
- DISA · 2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1712 mappings
3.5.1
1.00
- DISA · 2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.5.2
1.00
- DISA · 2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000778
1.00
- DISA · 2 · disa_xccdf · related
Details
Check Text (C-207562r879599_chk)
Verify that the BIND 9.x server is configured to utilize separate TSIG key-pairs when securing server-to-server transactions.
Inspect the "named.conf" file for the presence of TSIG key statements:
On the master name server, this is an example of a configured key statement:
key tsig_example. {
algorithm hmac-SHA1;
include "tsig-example.key";
};
zone "disa.mil" {
type master;
file "db.disa.mil";
allow-transfer { key tsig_example.; };
};
On the slave name server, this is an example of a configured key statement:
key tsig_example. {
algorithm hmac-SHA1;
include "tsig-example.key";
};
server <ip_address> {
keys { tsig_example };
};
zone "disa.mil" {
type slave;
masters { <ip_address>; };
file "db.disa.mil";
};
Verify that each TSIG key-pair listed is only used by a single key statement:
# cat <tsig_key_file>
If any TSIG key-pair is being used by more than one key statement, this is a finding.
Fix Text (F-7817r283741_fix)
Create a separate TSIG key-pair for each key statement listed in the named.conf file.
Configure the name server to utilize separate TSIG key-pairs for each key statement listed in the named.conf file.
Restart the BIND 9.x process.