5.2 Securely Authenticate Dynamic Updates - update-policy grant or local

Information

Dynamic updates are used to automate the updating of zones. Dynamic updates are typically used with DHCP; however, updates may include other records. The allow-update option allows deleting or adding any resource records of a zone except the SOA and NS records, and should not be used. Instead the update-policy option allows a more granular policy to be specified so that only specific resource record types and a specific sub-domain may be updated. The update-policy must be securely authenticated with a key identifier, rather than by an IP address. The key identifier may specify a TSIG key, a GSS-TSIG key, or a SIG(0) key.

Rationale:

Allowing other systems to make permanent updates to your zones is of course not allowed by default, and needs to be carefully secured. Consider the power of an attack that could update the zone to direct clients and servers to the malicious server of the attacker's choice. The attack would not be restricted to just HTTP, but every connection and protocol that uses a name and allows weak authentication may be subject to redirection and a variety of man-in-the-middle and protocol downgrade attacks. Therefore, it is important that all dynamic updates be securely authenticated using a cryptographic key, and not rely on an IP address.

Solution

Perform the following steps for remediation:

- Remove any allow-update options from the global options configuration.
- Replace or add allow-update options to the zone files to specify a securely generated TSIG or SIG(0) key identifier, along with the appropriate domain or sub-domain, and the appropriate resource record type.

Default Value:

Dynamic updates are not allowed by default.

See Also

https://workbench.cisecurity.org/files/1735

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-20b., CSCv6|9

Plugin: Unix

Control ID: 3e2810ccef062cb40a283e087191e3154bda15fa0ce62c0c8dddeca045348458