4.1 Use TSIG Keys 256 Bits in Length

Information

The TSIG secret keys used by the name server should be generated from a good source of entropy and should be at least 256 bits in length.

Rationale:

Weak cryptographic keys may allow cryptographic attacks to discover the key value, through repeated guesses. A strong HMAC key requires a good source of entropy and at least 256 bits in length.

Solution

For remediation, replace any keys which are too short with a securely generated key with a length of 256 or 512. The tsig-keygen command below can be used to generate a key.

# tsig-keygen -a sha256 ns1-ns4.example.net > ns1-ns4.example.net.key
# cat ns1-ns4.example.net.key
key 'ns1-ns4.example.net' {
algorithm hmac-sha256;
secret 'ezoZopbE4Q73HShuFYlf3FRvLWjtNXI5fd0TeQAYOug=';
};

Ensure the key file has the appropriate file permissions, and include the file in the named configuration file.

Default Value:

The rndc key is generated as 256 bits during bind-utils package install, and the nsupdate session key is dynamically generated with a length of 256 bits.

See Also

https://workbench.cisecurity.org/files/2997

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-8, CSCv6|14.2, CSCv7|14.4

Plugin: Unix

Control ID: 85aa48af6ac0dddb8e12ba3793f6b81a4d17f94721df323409a6772bef05be05