4.3 Use Unique Keys for Each Pair of Hosts - unique secret

Information

A unique TSIG key should be used for each pair of communicating hosts. For example, if there is one master authoritative name server and three slave authoritative name servers that were updated by the master, then there would need to be a unique TSIG key for at least the following:

Master <-> Slave1

Master <-> Slave2

Master <-> Slave3

Rationale:

Each communication channel should have a unique key, to reduce the risk of key disclosure. If one of the TSIG keys or one of the slave servers is compromised, then the remaining TSIG keys are not disclosed.

Solution

Generate unique keys for host to host communication. The command below can be used to generate 2 files, a <name>.key file and a <name>.private file with secret keys of suitable length with base64 encoding. The files themselves are not needed, and should be securely deleted once the values are copied into a key file for including in the named configuration.

$ dnssec-keygen -a HMAC-SHA256 -b 256 -n HOST ns1-ns2.cisecurity.org
Kns1-ns2.cisecurity.org.+163+13013

$ cat Kns1-ns2.cisecurity.org.+163+13013.key
ns1-ns2.cisecurity.org. IN KEY 512 3 163 9FQ2dYCQ17HJwDi/uHgANh2dlb8M7eb+F4AjML8tTdA=

Default Value:

The rndc key is automatically generated during package installation.

See Also

https://workbench.cisecurity.org/files/2997

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-8, CSCv6|14, CSCv7|14.4

Plugin: Unix

Control ID: 02d5eacb1e7b1885106207d5d3522d752b26468275d278cc1344751c3f656973