4.3 Use Unique Keys for Each Pair of Hosts - unique keys

Information

A unique TSIG key should be used for each pair of communicating hosts. For example if there is one master authoritative name server and three slave authoritative name servers that were updated by the master, then there would need to be a unique TSIG key for at least the following:

- Master <-> Slave1
- Master <-> Slave2
- Master <-> Slave3

Rationale:

Each communication channel should have a unique key, to reduce the risk of key disclosure. If one of the TSIG keys or one of the slave servers is compromised, then the remaining TSIG keys are not disclosed.

Solution

Generate unique keys for host to host communication. The command below can be used to generate 2 files, and <anem>.key file and a <name>.private file with secret keys of suitable length with base64 encoding.?? The files themselves are not needed, and should be securely deleted once the values are copied into a key file for including in the named configuration.

$ dnssec-keygen -a HMAC-SHA256 -b 256 -n HOST ns1-ns2.cisecurity.org
Kns1-ns2.cisecurity.org.+163+13013

$ cat Kns1-ns2.cisecurity.org.+163+13013.key
ns1-ns2.cisecurity.org. IN KEY 512 3 163 9FQ2dYCQ17HJwDi/uHgANh2dlb8M7eb+F4AjML8tTdA=

Default Value:

The rndc key is automatically generated during package installation.

See Also

https://workbench.cisecurity.org/files/1735

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CSCv6|14

Plugin: Unix

Control ID: 67627f6bd6d44633b3e31c4ef2e3941a563ab3528a0191be05acaad6daa7b9f8