STIGhubSTIGhub
STIGsSearchCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to BIND 9.x Security Technical Implementation Guide

V-272386

CAT II (Medium)

The two files generated by the BIND 9.x server dnssec-keygen program must be owned by the administrator account or deleted once they have been copied to the key file in the name server.

Rule ID

SV-272386r1123985_rule

STIG

BIND 9.x Security Technical Implementation Guide

Version

V3R2

CCIs

CCI-000366

Discussion

To enable zone transfer (requests and responses) through authenticated messages, it is necessary to generate a key for every pair of name servers. The key also can be used for securing other transactions, such as dynamic updates, DNS queries, and responses. The binary key string that is generated by most key generation utilities used with DNSSEC is Base64 encoded. A TSIG is a string used to generate the message authentication hash stored in a TSIG RR and used to authenticate an entire DNS message.

Check Content

With the assistance of the DNS administrator, identify all dnssec-keygen key files that reside on the BIND 9.x server.

An example dnssec-keygen key file will look like the following:

Kns1.example.com_ns2.example.com.+161+28823.key
OR
Kns1.example.com_ns2.example.com.+161+28823.private

For each key file identified, verify that the key file is owned by "named":

# ls -al
-rw-r-----. 1 named named 76 May 10 20:35 dnssec-example.key

If the key files are not owned by named, this is a finding.

Fix Text

Change the ownership of the keys to the administrator account.

# chown named:named <key_file>.