BIND-9X-001150 - The BIND 9.x server signature generation using the KSK must be done off-line, using the KSK-private key stored off-line.

Information

The private key in the KSK key pair must be protected from unauthorized access. The private key should be stored off-line (with respect to the Internet-facing, DNSSEC-aware name server) in a physically secure, non-network-accessible machine along with the zone file master copy.

Failure to protect the private KSK may have significant effects on the overall security of the DNS infrastructure. A compromised KSK could lead to an inability to detect unauthorized DNS zone data resulting in network traffic being redirected to a rogue site.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Remove all private KSKs from the name server and ensure that they are stored offline in a secure location.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_BIND_9-x_V2R3_STIG.zip

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(2)(b), CAT|I, CCI|CCI-000186, Rule-ID|SV-207576r879613_rule, STIG-ID|BIND-9X-001150, STIG-Legacy|SV-87093, STIG-Legacy|V-72469, Vuln-ID|V-207576

Plugin: Unix

Control ID: 958493a89a8b2f066f81ad83f2684625f6f95730db1ebe3389d35efe11254366