← Back to BIND 9.x Security Technical Implementation Guide

V-272436

CAT II (Medium)

A BIND 9.x server must implement NIST FIPS-validated cryptography for provisioning digital signatures and generating cryptographic hashes.

Rule ID

SV-272436r1137676_rule

STIG

BIND 9.x Security Technical Implementation Guide

Version

V3R2

CCIs

CCI-002450

Discussion

Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The application must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.

Check Content

Verify that the DNSSEC and TSIG keys used by the BIND 9.x implementation are FIPS compliant.

If the server is in a classified network, the DNSSEC portion of the requirement is Not Applicable.

DNSSEC keys:

Inspect the "named.conf" file and identify all of the DNSSEC signed zone files:

zone "example.com" {
file "signed_zone_file";
};

For each signed zone file identified, inspect the file for the "DNSKEY" records: 

86400 DNSKEY 257 3 8 (
<KEY HASH>
) ; KSK; 
86400 DNSKEY 256 3 8 (
<KEY HASH>
) ; ZSK; 

The fifth field in the above example identifies what algorithm was used to create the DNSKEY. 

If the fifth field, if the KSK DNSKEY is less than "8" (SHA256), this is a finding.

If the algorithm used to create the ZSK is less than "8" (SHA256), this is a finding.

TSIG keys: 

Inspect the "named.conf" file and identify all of the TSIG key statements: 

key tsig_example. {
algorithm hmac-SHA256;
include "tsig-example.key";
};

If each key statement does not use "hmac-SHA256" or a stronger algorithm, this is a finding.

Fix Text

Create new DNSSEC and TSIG keys using a FIPS-approved cryptographic algorithm that meets or exceeds the strength of SHA-256.