Rule ID
SV-272421r1124019_rule
Version
V3R2
CCIs
CCI-000778
Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. This applies to server-to-server (zone transfer) transactions only and is provided by TSIG/SIG(0), which enforces mutual server authentication using a key that is unique to each server pair (TSIG) or using PKI-based authentication (SIG[0]), thus uniquely identifying the other server.
Verify that the BIND 9.x server is configured to use separate TSIG key-pairs when securing server-to-server transactions.
Inspect the "named.conf" file for the presence of TSIG key statements:
On the primary name server, this is an example of a configured key statement:
key tsig_example. {
algorithm hmac-SHA256;
include "tsig-example.key";
};
zone "disa.mil" {
type Primary;
file "db.disa.mil";
allow-transfer { key tsig_example.; };
};
On the secondary name server, this is an example of a configured key statement:
key tsig_example. {
algorithm hmac-SHA256;
include "tsig-example.key";
};
server <ip_address> {
keys { tsig_example };
};
zone "disa.mil" {
type Secondary;
Primarys { <ip_address>; };
file "db.disa.mil";
};
Verify that each TSIG key-pair listed is only used by a single key statement:
# cat <tsig_key_file>
If any TSIG key-pair is being used by more than one key statement, this is a finding.Create a separate TSIG key-pair for each key statement listed in the named.conf file. Configure the name server to use separate TSIG key-pairs for each key statement listed in the named.conf file. Restart the BIND 9.x process.