Rule ID
SV-272414r1123797_rule
Version
V3R2
CCIs
CCI-000366
Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the application, including the parameters required to satisfy other security control requirements. Configuring the DNS server implementation to follow organizationwide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DOD that reflects the most restrictive security posture consistent with operational requirements.
With the assistance of the DNS administrator, identify all of the cryptographic key files used by the BIND 9.x implementation. With the assistance of the DNS administrator, determine the location of the cryptographic key files used by the BIND 9.x implementation. # ls -al <Crypto_Key_Location> -rw-------. 1 named named 76 May 10 20:35 crypto-example.key If the server is in a classified network, the DNSSEC portion of the requirement is Not Applicable. For DNSSEC keys: Verify that the "Created" date is less than one year from the date of inspection: Note: The date format will be displayed in YYYYMMDDHHMMSS. # cat <DNSSEC_Key_File> | grep -i "created" Created: 20160704235959 If the "Created" date is more than one year old, this is a finding. For TSIG keys: Verify with the information system security officer (ISSO)/information system security manager (ISSM) that the TSIG keys are less than one year old. If a TSIG key is more than one year old, this is a finding.
Generate new DNSSEC and TSIG keys. For DNSSEC keys: Use the newly generated keys to resign all of the zone files on the name server. For TSIG keys: Update the named.conf file with the new keys. Restart the BIND 9.x process.