Information
The TSIG secret keys used by the name server should be generated from a good source of entropy and should be at least 256 bits in length.
Rationale:
Weak cryptographic keys may allow cryptographic attacks to discover the key value, through repeated guesses. A strong HMAC key requires a good source of entropy and at least 256 bits in length.
Solution
For remediation, replace any keys which are too short with a securely generated key with a length of 256 or 512.?? The dnssec-keygen command below can be used to generate a key.
$ dnssec-keygen -a HMAC-SHA256 -b 256 -n HOST ns1-ns2.cisecurity.org.
$ cat Kns1-ns2.cisecurity.org.+163+21730.key
ns1-ns2.cisecurity.org. IN KEY 512 3 163 ezoZopbE4Q73HShuFYlf3FRvLWjtNXI5fd0TeQAYOug=
Default Value:
The rndc key is generated as 128 bits during bind-utils package install, while the nsupdate session key is dynamically generated with a length of 256 bits.