Detections
Analytics
BIND-9X-001200 - A BIND 9.x server implementation must maintain the integrity and confidentiality of DNS information while it is being prepared for transmission, in transmission, and in use and t must perform integrity verification and data origin verification for all DNS information - ZSK
Warning! Audit Deprecated
This audit has been deprecated and will be removed in a future update.
View Next Audit VersionInformation
DNSSEC is required for securing the DNS query/response transaction by providing data origin authentication and data integrity verification through signature verification and the chain of trustFailure to accomplish data origin authentication and data integrity verification could have significant effects on DNS Infrastructure. The resultant response could be forged, it may have come from a poisoned cache, the packets could have been intercepted without the resolver's knowledge, or resource records could have been removed that would result in query failure or denial of service
Failure to validate name server replies would cause many networking functions and communications to be adversely affected. With DNS, the presence of Delegation Signer (DS) records associated with child zones informs clients of the security status of child zones. These records are crucial to the DNSSEC chain of trust model. Each parent domain's DS record is used to verify the DNSKEY record in its subdomain, from the top of the DNS hierarchy down.
Failure to validate the chain of trust used with DNSSEC would have a significant impact on the security posture of the DNS server. Non-validated trust chains may contain rouge DNS servers and allow those unauthorized servers to introduce invalid data into an organizations DNS infrastructure. A compromise of this type would be difficult to detect and may have devastating effects on the validity and integrity of DNS zone information.
Satisfies: SRG-APP-000213-DNS-000024, SRG-APP-000215-DNS-000026, SRG-APP-000219-DNS-000028, SRG-APP-000219-DNS-000029, SRG-APP-000219-DNS-000030, SRG-APP-000347-DNS-000041, SRG-APP-000348-DNS-000042, SRG-APP-000349-DNS-000043, SRG-APP-000420-DNS-000053, SRG-APP-000421-DNS-000054, SRG-APP-000422-DNS-000055, SRG-APP-000423-DNS-000056, SRG-APP-000424-DNS-000057, SRG-APP-000425-DNS-000058, SRG-APP-000426-DNS-000059, SRG-APP-000441-DNS-000066, SRG-APP-000442-DNS-000067, SRG-APP-000516-DNS-000089
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Set the 'dnssec-enable' option to yes.Sign each zone file that the name server is responsible for.
Configure each zone the name server is responsible for to use a DNSSEC signed zone.
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_BIND_9-x_V1R9_STIG.zip
Item Details
Audit Name: DISA BIND 9.x STIG v1r9
Category: AUDIT AND ACCOUNTABILITY, SYSTEM AND COMMUNICATIONS PROTECTION
References: 800-53|AU-10(1), 800-53|AU-10(2), 800-53|SC-8(2), 800-53|SC-20, 800-53|SC-20(2), 800-53|SC-21, 800-53|SC-23, CAT|I, CCI|CCI-001178, CCI|CCI-001184, CCI|CCI-001663, CCI|CCI-001901, CCI|CCI-001902, CCI|CCI-001904, CCI|CCI-002420, CCI|CCI-002422, CCI|CCI-002462, CCI|CCI-002463, CCI|CCI-002464, CCI|CCI-002465, CCI|CCI-002466, CCI|CCI-002467, CCI|CCI-002468, Rule-ID|SV-87095r4_rule, STIG-ID|BIND-9X-001200, Vuln-ID|V-72471
Plugin: Unix
Control ID: a7c4a0400b7eeb7c6d9505a36024e372b07a2a6ba365b36248d46faa9c0c7f78