4.2 Include Cryptographic Key Files

Information

Do not place keys directly in the BIND named.conf, but use separate configuration files for the keys and include them into the named.conf file, in order to protect the keys from unintentional disclosure.

Rationale:

Although the keys may be placed directly in the named.conf file, putting it in a separate file will limit the number of times it needs to be viewed, and make it independent of viewing and changes to the main configuration file.

Solution

Move each key definition statement from the named.conf file into its own key file. It is recommended to name both the key and the key file after the two hosts that will be sharing the secret key, in order to avoid confusion. Then include the key files with include statements in the named.conf. An example is shown below with the key definition statement moved to a separate key file, however it is also accepted for only the secret statement to be moved to another file.

# grep -C 1 include /etc/named.conf

// Include the key file used for the host1 and host2 TSIG comms
include "/etc/private/host1-host2.cisecurity.org.key";

# cat /var/named/chroot/etc/private/host1-host2.cisecurity.org.key
key host1-host2.cisecurity.org {
algorithm hmac-sha256;
secret "1R3DP9D81/yWXjqf3hlg2beRpti1883JnZ3s7RVb1HU=";
};

Default Value:

During a default install an rndc key is generated in a separate file /etc/rndc.key and included in the named.conf.

See Also

https://workbench.cisecurity.org/files/1735

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CSCv6|14

Plugin: Unix

Control ID: b7fb4a9f7f9862c05293390f253af0860fca20afa55d76d7d5c719e321afe437