BIND 9.x Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The secondary name servers in a BIND 9.x implementation must be configured to initiate zone update notifications to other authoritative zone name servers.
<VulnDiscussion>It is important to maintain the integrity of a zone file. The serial number of the SOA record is used to indicate to secondar...Rule Low Severity -
SRG-APP-000516-DNS-000110
<GroupDescription></GroupDescription>Group -
On the BIND 9.x server the platform on which the name server software is hosted must be configured to send outgoing DNS messages from a random port.
<VulnDiscussion>Hosts that run the name server software should not provide any other services and therefore should be configured to respond t...Rule Low Severity -
SRG-APP-000447-DNS-000068
<GroupDescription></GroupDescription>Group -
A BIND 9.x caching name server must implement DNSSEC validation to check all DNS queries for invalid input.
<VulnDiscussion>A common vulnerability of applications is unpredictable behavior when invalid inputs are received. This requirement guards ag...Rule Medium Severity -
SRG-APP-000001-DNS-000001
<GroupDescription></GroupDescription>Group -
A BIND 9.x master name server must limit the number of concurrent zone transfers between authorized secondary name servers.
<VulnDiscussion>Limiting the number of concurrent sessions reduces the risk of Denial of Service (DoS) to the DNS implementation. Name serve...Rule Medium Severity -
SRG-APP-000246-DNS-000035
<GroupDescription></GroupDescription>Group -
A BIND 9.x implementation configured as a caching name server must restrict recursive queries to only the IP addresses and IP address ranges of known supported clients.
<VulnDiscussion>Any host that can query a resolving name server has the potential to poison the servers name cache or take advantage of other...Rule Medium Severity -
SRG-APP-000158-DNS-000015
<GroupDescription></GroupDescription>Group -
The BIND 9.x server implementation must uniquely identify and authenticate the other DNS server before responding to a server-to-server transaction, zone transfer and/or dynamic update request using cryptographically based bidirectional authentication to protect the integrity of the information in transit.
<VulnDiscussion>Server-to-server (zone transfer) transactions are provided by TSIG, which enforces mutual server authentication using a key t...Rule High Severity -
SRG-APP-000158-DNS-000015
<GroupDescription></GroupDescription>Group -
The BIND 9.x server implementation must utilize separate TSIG key-pairs when securing server-to-server transactions.
<VulnDiscussion>Server-to-server (zone transfer) transactions are provided by TSIG, which enforces mutual server authentication using a key t...Rule Medium Severity -
SRG-APP-000176-DNS-000018
<GroupDescription></GroupDescription>Group -
The TSIG keys used with the BIND 9.x implementation must be owned by a privileged account.
<VulnDiscussion>Incorrect ownership of a TSIG key file could allow an adversary to modify the file, thus defeating the security objective.<...Rule Medium Severity -
SRG-APP-000176-DNS-000018
<GroupDescription></GroupDescription>Group -
The TSIG keys used with the BIND 9.x implementation must be group owned by a privileged account.
<VulnDiscussion>Incorrect ownership of a TSIG key file could allow an adversary to modify the file, thus defeating the security objective.<...Rule Medium Severity -
SRG-APP-000176-DNS-000019
<GroupDescription></GroupDescription>Group -
The read and write access to a TSIG key file used by a BIND 9.x server must be restricted to only the account that runs the name server software.
<VulnDiscussion>Weak permissions of a TSIG key file could allow an adversary to modify the file, thus defeating the security objective.</V...Rule Medium Severity -
SRG-APP-000516-DNS-000500
<GroupDescription></GroupDescription>Group -
The BIND 9.X implementation must not utilize a TSIG or DNSSEC key for more than one year.
<VulnDiscussion>Cryptographic keys are the backbone of securing DNS information over the wire, maintaining DNS data integrity, and the provid...Rule Medium Severity -
SRG-APP-000514-DNS-000075
<GroupDescription></GroupDescription>Group -
A BIND 9.x server must implement NIST FIPS-validated cryptography for provisioning digital signatures and generating cryptographic hashes.
<VulnDiscussion>The use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The applic...Rule High Severity -
The DNSSEC keys used with the BIND 9.x implementation must be owned by a privileged account.
<VulnDiscussion>Information at rest refers to the state of information when it is located on a secondary storage device within an organizatio...Rule Medium Severity -
SRG-APP-000231-DNS-000033
<GroupDescription></GroupDescription>Group -
The DNSSEC keys used with the BIND 9.x implementation must be group owned by a privileged account.
<VulnDiscussion>Information at rest refers to the state of information when it is located on a secondary storage device within an organizatio...Rule Medium Severity -
SRG-APP-000231-DNS-000033
<GroupDescription></GroupDescription>Group -
Permissions assigned to the DNSSEC keys used with the BIND 9.x implementation must enforce read-only access to the key owner and deny access to all other users.
<VulnDiscussion>Information at rest refers to the state of information when it is located on a secondary storage device within an organizatio...Rule Medium Severity -
SRG-APP-000176-DNS-000094
<GroupDescription></GroupDescription>Group -
The BIND 9.x server private key corresponding to the ZSK pair must be the only DNSSEC key kept on a name server that supports dynamic updates.
<VulnDiscussion>The private key in the ZSK key pair must be protected from unauthorized access. If possible, the private key should be stored...Rule High Severity -
SRG-APP-000516-DNS-000112
<GroupDescription></GroupDescription>Group -
On the BIND 9.x server the private keys corresponding to both the ZSK and the KSK must not be kept on the BIND 9.x DNSSEC-aware primary authoritative name server when the name server does not support dynamic updates.
<VulnDiscussion>The private keys in the KSK and ZSK key pairs must be protected from unauthorized access. If possible, the private keys shoul...Rule Medium Severity -
SRG-APP-000516-DNS-000086
<GroupDescription></GroupDescription>Group -
The two files generated by the BIND 9.x server dnssec-keygen program must be owned by the root account, or deleted, after they have been copied to the key file in the name server.
<VulnDiscussion>To enable zone transfer (requests and responses) through authenticated messages, it is necessary to generate a key for every ...Rule Medium Severity -
SRG-APP-000516-DNS-000086
<GroupDescription></GroupDescription>Group -
The two files generated by the BIND 9.x server dnssec-keygen program must be group owned by the server administrator account, or deleted, after they have been copied to the key file in the name server.
<VulnDiscussion>To enable zone transfer (requests and responses) through authenticated messages, it is necessary to generate a key for every ...Rule Medium Severity -
SRG-APP-000516-DNS-000086
<GroupDescription></GroupDescription>Group -
Permissions assigned to the dnssec-keygen keys used with the BIND 9.x implementation must enforce read-only access to the key owner and deny access to all other users.
<VulnDiscussion>To enable zone transfer (requests and responses) through authenticated messages, it is necessary to generate a key for every ...Rule Medium Severity -
SRG-APP-000176-DNS-000096
<GroupDescription></GroupDescription>Group -
The BIND 9.x server signature generation using the KSK must be done off-line, using the KSK-private key stored off-line.
<VulnDiscussion>The private key in the KSK key pair must be protected from unauthorized access. The private key should be stored off-line (wi...Rule High Severity -
SRG-APP-000213-DNS-000024
<GroupDescription></GroupDescription>Group -
A BIND 9.x server implementation must maintain the integrity and confidentiality of DNS information while it is being prepared for transmission, in transmission, and in use and t must perform integrity verification and data origin verification for all DNS information.
<VulnDiscussion>DNSSEC is required for securing the DNS query/response transaction by providing data origin authentication and data integrity...Rule High Severity -
SRG-APP-000214-DNS-000025
<GroupDescription></GroupDescription>Group -
A BIND 9.x server implementation must provide the means to indicate the security status of child zones.
<VulnDiscussion>If name server replies are invalid or cannot be validated, many networking functions and communication would be adversely aff...Rule Medium Severity -
SRG-APP-000214-DNS-000079
<GroupDescription></GroupDescription>Group -
The BIND 9.x server validity period for the RRSIGs covering the DS RR for zones delegated children must be no less than two days and no more than one week.
<VulnDiscussion>The best way for a zone administrator to minimize the impact of a key compromise is by limiting the validity period of RRSIGs...Rule Medium Severity -
SRG-APP-000516-DNS-000099
<GroupDescription></GroupDescription>Group -
The core BIND 9.x server files must be owned by the root or BIND 9.x process account.
<VulnDiscussion>Discretionary Access Control (DAC) is based on the premise that individual users are "owners" of objects and therefore have d...Rule Medium Severity -
SRG-APP-000516-DNS-000099
<GroupDescription></GroupDescription>Group -
The core BIND 9.x server files must be group owned by a group designated for DNS administration only.
<VulnDiscussion>Discretionary Access Control (DAC) is based on the premise that individual users are "owners" of objects and therefore have d...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.