BIND-9X-001106 - The BIND 9.x server implementation must utilize separate TSIG key-pairs when securing server-to-server transactions.

Information

Server-to-server (zone transfer) transactions are provided by TSIG, which enforces mutual server authentication using a key that is unique to each server pair (TSIG), thus uniquely identifying the other server.
Enforcing separate TSIG key-pairs provides another layer of protection for the BIND implementation in the event that a TSIG key is compromised. This additional layer of security provides the DNS administrators with the ability to change a compromised TSIG key with a minimal disruption to DNS operations.
Failure to identify devices and authenticate devices can lead to malicious activity, such as a Man-In-The-Middle attack where an attacker could pose as an authorized name server, and redirect legitimate customers to malicious websites. A failure on this part could also lead to a Denial of Service of any and all DNS services provided to an organizations network infrastructure.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Create a separate TSIG key-pair for each key statement listed in the named.conf file.
Configure the name server to utilize separate TSIG key-pairs for each key statement listed in the named.conf file.
Restart the BIND 9.x process.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_BIND_9-x_V2R3_STIG.zip

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-3, CAT|II, CCI|CCI-000778, Rule-ID|SV-207562r879599_rule, STIG-ID|BIND-9X-001106, STIG-Legacy|SV-87055, STIG-Legacy|V-72431, Vuln-ID|V-207562

Plugin: Unix

Control ID: 76d76b41661ab768370a0433905585f188d01bbf3a5a42b31c742f29c3fcfb88