BIND 9.x Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The BIND 9.x server implementation must uniquely identify and authenticate the other DNS server before responding to a server-to-server transaction, zone transfer and/or dynamic update request using cryptographically based bidirectional authentication to protect the integrity of the information in transit.
<VulnDiscussion>Server-to-server (zone transfer) transactions are provided by TSIG, which enforces mutual server authentication using a key t...Rule High Severity -
SRG-APP-000158-DNS-000015
<GroupDescription></GroupDescription>Group -
The BIND 9.x server implementation must utilize separate TSIG key-pairs when securing server-to-server transactions.
<VulnDiscussion>Server-to-server (zone transfer) transactions are provided by TSIG, which enforces mutual server authentication using a key t...Rule Medium Severity -
SRG-APP-000176-DNS-000018
<GroupDescription></GroupDescription>Group -
The TSIG keys used with the BIND 9.x implementation must be owned by a privileged account.
<VulnDiscussion>Incorrect ownership of a TSIG key file could allow an adversary to modify the file, thus defeating the security objective.<...Rule Medium Severity -
SRG-APP-000176-DNS-000018
<GroupDescription></GroupDescription>Group -
The TSIG keys used with the BIND 9.x implementation must be group owned by a privileged account.
<VulnDiscussion>Incorrect ownership of a TSIG key file could allow an adversary to modify the file, thus defeating the security objective.<...Rule Medium Severity -
SRG-APP-000176-DNS-000019
<GroupDescription></GroupDescription>Group -
The read and write access to a TSIG key file used by a BIND 9.x server must be restricted to only the account that runs the name server software.
<VulnDiscussion>Weak permissions of a TSIG key file could allow an adversary to modify the file, thus defeating the security objective.</V...Rule Medium Severity -
SRG-APP-000516-DNS-000500
<GroupDescription></GroupDescription>Group -
The BIND 9.X implementation must not utilize a TSIG or DNSSEC key for more than one year.
<VulnDiscussion>Cryptographic keys are the backbone of securing DNS information over the wire, maintaining DNS data integrity, and the provid...Rule Medium Severity -
SRG-APP-000514-DNS-000075
<GroupDescription></GroupDescription>Group -
A BIND 9.x server must implement NIST FIPS-validated cryptography for provisioning digital signatures and generating cryptographic hashes.
<VulnDiscussion>The use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The applic...Rule High Severity -
The DNSSEC keys used with the BIND 9.x implementation must be owned by a privileged account.
<VulnDiscussion>Information at rest refers to the state of information when it is located on a secondary storage device within an organizatio...Rule Medium Severity -
SRG-APP-000231-DNS-000033
<GroupDescription></GroupDescription>Group -
The DNSSEC keys used with the BIND 9.x implementation must be group owned by a privileged account.
<VulnDiscussion>Information at rest refers to the state of information when it is located on a secondary storage device within an organizatio...Rule Medium Severity -
SRG-APP-000231-DNS-000033
<GroupDescription></GroupDescription>Group -
Permissions assigned to the DNSSEC keys used with the BIND 9.x implementation must enforce read-only access to the key owner and deny access to all other users.
<VulnDiscussion>Information at rest refers to the state of information when it is located on a secondary storage device within an organizatio...Rule Medium Severity -
SRG-APP-000176-DNS-000094
<GroupDescription></GroupDescription>Group -
The BIND 9.x server private key corresponding to the ZSK pair must be the only DNSSEC key kept on a name server that supports dynamic updates.
<VulnDiscussion>The private key in the ZSK key pair must be protected from unauthorized access. If possible, the private key should be stored...Rule High Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.