5.3 Securely Authenticate Update Forwarding

Information

A secondary authoritative name server is allowed to accept zone updates on behalf of the primary name server, and forward them to the master name server, where the zone file can be updated. In this case, the authentication of the dynamic updates is configured with the allow-update-forwarding option. The update requests must be securely authenticated with a key identifier, rather than by an IP address. The key identifier may specify a TSIG key, a GSS-TSIG, or a SIG(0) key.

Rationale:

Of course, allowing unauthenticated updates to a zone should not be allowed. It is necessary for the secondary authoritative name server to carefully authenticate the update request before sending it on to the primary name server, to prevent malicious DNS updates be propagated via the secondary server.

Solution

Modify any allow-update-forwarding options to specify a securely generated TSIG or SIG(0) key identifier used by the DHCP server.

Default Value:

Dynamic updates are disabled by default.

See Also

https://workbench.cisecurity.org/files/2997

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5, 800-53|IA-5(1), CSCv6|9, CSCv7|16.4

Plugin: Unix

Control ID: 0f5c8c1d6e04ba8136d463917b957517cef1e4a5cbf91590333a4d85d3084778