STIGhubSTIGhub
STIGsSearchCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to BIND 9.x Security Technical Implementation Guide

V-272375

CAT II (Medium)

The read and write access to a TSIG key file used by a BIND 9.x server must be restricted to only the account that runs the name server software.

Rule ID

SV-272375r1123858_rule

STIG

BIND 9.x Security Technical Implementation Guide

Version

V3R2

CCIs

CCI-000186

Discussion

Weak permissions of a TSIG key file could allow an adversary to modify the file, thus defeating the security objective.

Check Content

Verify permissions assigned to the TSIG keys enforce read-write access to the key owner and deny access to group or system users.

With the assistance of the DNS administrator, determine the location of the TSIG keys used by the BIND 9.x implementation:

# ls -al <TSIG_Key_Location>
-rw-r-----. 1 root named 76 May 10 20:35 tsig-example.key

If the key files are more permissive than 640, this is a finding.

Fix Text

Change the permissions of the TSIG key files:

# chmod 640 <TSIG_key_file>