Skip to content

The BIND 9.X implementation must not utilize a TSIG or DNSSEC key for more than one year.

An XCCDF Rule

Description

<VulnDiscussion>Cryptographic keys are the backbone of securing DNS information over the wire, maintaining DNS data integrity, and the providing the ability to validate DNS information that is received. When a cryptographic key is utilized by a DNS server for a long period of time, the likelihood of compromise increases. A compromised key set would allow an attacker to intercept and possibly inject comprised data into the DNS server. In this compromised state, the DNS server would be vulnerable to DoS attacks, as well as being vulnerable to becoming a launching pad for further attacks on an organizations network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID
SV-207566r879887_rule
Severity
Medium
References
Updated



Remediation - Manual Procedure

Generate new DNSSEC and TSIG keys.

For DNSSEC keys:

Use the newly generated keys to resign all of the zone files on the name server.