8.5 Ensure each Zone has a Valid Digital Signature

Information

For each zone of the authoritative name server, verify that the signed zone file has a valid signature for each algorithm in the zone DNSKEY RRSet.

Rationale:

The zone must have a valid signature before it can be trusted by validating DNSSEC name resolvers.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Perform either of the following:

Enable in-line signing in each zone configuration by setting inline-signing to yes value. For example:

zone 'cisecurity.org' {
type master;
file '/etc/named/masters/cisecurity.org';
key-directory '/etc/named/keys';
inline-signing yes;
auto-dnssec maintain;
};

Reload the server configuration and zones.

rndc reload

Or if using manual or scripted zone signing instead of inline-signing, then perform the following.

Include the signing keys at the end of the zone file to be signed. Such as:

$include Kcisecurity.com.+013+09768.key
$include Kcisecurity.com.+013+45248.key

Then sign each zone file with the dnssec-signzone command such as:

dnssec-signzone -o cisecurity.com ../masters/cisecurity.com Kcisecurity.com.+013+09768.key Kcisecurity.com.+013+45248.key

Reload the configuration and zones.

rndc reload

See Also

https://workbench.cisecurity.org/files/2997

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5, 800-53|IA-5(1), CSCv7|16.4

Plugin: Unix

Control ID: 4a9371d8378b6d95c231a828f4b45e25273ed66ada333e1653400e98648bc677