The BIND 9.X implementation must not utilize a TSIG or DNSSEC key for more than one year.
An XCCDF Rule
Description
<VulnDiscussion>Cryptographic keys are the backbone of securing DNS information over the wire, maintaining DNS data integrity, and the providing the ability to validate DNS information that is received. When a cryptographic key is utilized by a DNS server for a long period of time, the likelihood of compromise increases. A compromised key set would allow an attacker to intercept and possibly inject comprised data into the DNS server. In this compromised state, the DNS server would be vulnerable to DoS attacks, as well as being vulnerable to becoming a launching pad for further attacks on an organizations network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-207566r879887_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Generate new DNSSEC and TSIG keys.
For DNSSEC keys:
Use the newly generated keys to resign all of the zone files on the name server.