4.1 Use TSIG Keys 256 Bits in Length

Information

The TSIG secret keys used by the name server should be generated from a good source of entropy and should be at least 256 bits in length.

Rationale:

Weak cryptographic keys may allow cryptographic attacks to discover the key value, through repeated guesses. A strong HMAC key requires a good source of entropy and at least 256 bits in length.

Solution

For remediation, replace any keys which are too short with a securely generated key with a length of 256 or 512.?? The dnssec-keygen command below can be used to generate a key.

$ dnssec-keygen -a HMAC-SHA256 -b 256 -n HOST ns1-ns2.cisecurity.org.
$ cat Kns1-ns2.cisecurity.org.+163+21730.key
ns1-ns2.cisecurity.org. IN KEY 512 3 163 ezoZopbE4Q73HShuFYlf3FRvLWjtNXI5fd0TeQAYOug=

Default Value:

The rndc key is generated as 128 bits during bind-utils package install, while the nsupdate session key is dynamically generated with a length of 256 bits.

See Also

https://workbench.cisecurity.org/files/1735

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-13, CSCv6|14.2

Plugin: Unix

Control ID: 60765eaecaef78df1b1b77f472c982994014019632a848f8bf5cd7fbaa01ebff