STIGhubSTIGhub
STIGsSearchCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to BIND 9.x Security Technical Implementation Guide

V-272373

CAT II (Medium)

The BIND 9.x server signature generation using the key signing key (KSK) must be done offline, using the KSK-private key stored offline.

Rule ID

SV-272373r1192864_rule

STIG

BIND 9.x Security Technical Implementation Guide

Version

V3R2

CCIs

CCI-000186

Discussion

The private key in the KSK key pair must be protected from unauthorized access. The private key must be stored offline (with respect to the internet-facing, DNSSEC-aware name server) in a physically secure, nonnetwork-accessible machine along with the zone file primary copy. Failure to protect the private KSK may have significant effects on the overall security of the DNS infrastructure. A compromised KSK could lead to an inability to detect unauthorized DNS zone data resulting in network traffic being redirected to a rogue site.

Check Content

Verify that no private KSKs are stored on the name server. 

With the assistance of the DNS administrator, obtain a list of all DNSSEC private keys that are stored on the name server. 

Inspect the signed zone files(s) and if there are local zones, look for the KSK key ID:

DNSKEY 257 3 8 ( <hash_algorithm) ; KSK ; alg = ECDSAP256SHA256; key id = 52807

Verify that none of the identified private keys are KSKs.

An example private KSK would look like the following:

Kexample.com.+008+52807.private

If private KSKs are stored on the name server, this is a finding.

Fix Text

Remove all private KSKs from the name server and ensure they are stored offline in a secure location.