| BIND-9X-001010 - A BIND 9.x primary name server must limit the number of concurrent zone transfers between authorized secondary name servers. | ACCESS CONTROL |
| BIND-9X-001020 - The BIND 9.x secondary name server must limit the number of zones requested from a single primary name server. | ACCESS CONTROL |
| BIND-9X-001030 - The BIND 9.x secondary name server must limit the total number of zones the name server can request at any one time. | ACCESS CONTROL |
| BIND-9X-001040 - The BIND 9.x server implementation must limit the number of concurrent session client connections. | ACCESS CONTROL |
| BIND-9X-001050 - The print-severity variable for the configuration of BIND 9.x server logs must be configured to produce audit records containing information to establish what type of events occurred. | AUDIT AND ACCOUNTABILITY |
| BIND-9X-001060 - The print-time variable for the configuration of BIND 9.x server logs must be configured to establish when (date and time) the events occurred. | AUDIT AND ACCOUNTABILITY |
| BIND-9X-001070 - The print-category variable for the configuration of BIND 9.x server logs must be configured to record information indicating which process generated the events. | AUDIT AND ACCOUNTABILITY |
| BIND-9X-001110 - A BIND 9.x server implementation must be configured to allow DNS administrators to audit all DNS server components based on selectable event criteria and produce audit records within all DNS server components that contain information for failed security verification tests, information to establish the outcome and source of the events, any information necessary to determine cause of failure, and any information necessary to return to operations with least disruption to mission processes. | AUDIT AND ACCOUNTABILITY, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| BIND-9X-001140 - The BIND 9.x server private key corresponding to the zone-signing key (ZSK) pair must be the only DNSSEC key kept on a name server that supports dynamic updates. | IDENTIFICATION AND AUTHENTICATION |
| BIND-9X-001150 - The BIND 9.x server signature generation using the key signing key (KSK) must be done offline, using the KSK-private key stored offline. | IDENTIFICATION AND AUTHENTICATION |
| BIND-9X-001180 - The read and write access to a TSIG key file used by a BIND 9.x server must be restricted to only the account that runs the name server software. | IDENTIFICATION AND AUTHENTICATION |
| BIND-9X-001190 - A unique TSIG key used by a BIND 9.x server must be generated for each pair of communicating hosts. | IDENTIFICATION AND AUTHENTICATION |
| BIND-9X-001200 - The TSIG keys used with the BIND 9.x implementation must be owned by a privileged account. | IDENTIFICATION AND AUTHENTICATION |
| BIND-9X-001210 - The TSIG keys used with the BIND 9.x implementation must be group owned by a privileged account. | IDENTIFICATION AND AUTHENTICATION |
| BIND-9X-001220 - On a BIND 9.x server, for zones split between the external and internal sides of a network, the RRs for the external hosts must be separate from the RRs for the internal hosts. | CONFIGURATION MANAGEMENT |
| BIND-9X-001230 - On a BIND 9.x server in a split DNS configuration, where separate name servers are used between the external and internal networks, the internal name server must be configured to not be reachable from outside resolvers. | CONFIGURATION MANAGEMENT |
| BIND-9X-001240 - On a BIND 9.x server in a split DNS configuration, where separate name servers are used between the external and internal networks, the external name server must be configured to not be reachable from inside resolvers. | CONFIGURATION MANAGEMENT |
| BIND-9X-001250 - A BIND 9.x implementation operating in a split DNS configuration must be approved by the organization's authorizing official (AO). | CONFIGURATION MANAGEMENT |
| BIND-9X-001260 - On the BIND 9.x server the IP address for hidden primary authoritative name servers must not appear in the name servers set in the zone database. | CONFIGURATION MANAGEMENT |
| BIND-9X-001270 - A BIND 9.x server NSEC3 must be used for all internal DNS zones. | CONFIGURATION MANAGEMENT |
| BIND-9X-001280 - On the BIND 9.x server, the private keys corresponding to both the zone signing key (ZSK) and the key signing key (KSK) must not be kept on the BIND 9.x DNSSEC-aware primary authoritative name server when the name server does not support dynamic updates. | CONFIGURATION MANAGEMENT |
| BIND-9X-001290 - The two files generated by the BIND 9.x server dnssec-keygen program must be owned by the administrator account or deleted once they have been copied to the key file in the name server. | CONFIGURATION MANAGEMENT |
| BIND-9X-001300 - The two files generated by the BIND 9.x server dnssec-keygen program must be group owned by the server administrator account or deleted once they have been copied to the key file in the name server. | CONFIGURATION MANAGEMENT |
| BIND-9X-001310 - Permissions assigned to the dnssec-keygen keys used with the BIND 9.x implementation must enforce read-only access to the key owner and deny access to all other users. | CONFIGURATION MANAGEMENT |
| BIND-9X-001320 - A BIND 9.x server validity period for the RRSIGs covering a zones DNSKEY RRSet must be no less than two days and no more than one week. | CONFIGURATION MANAGEMENT |
| BIND-9X-001340 - On the BIND 9.x server, the private key corresponding to the zone signing key (ZSK), stored on name servers accepting dynamic updates, must be owned by named. | CONFIGURATION MANAGEMENT |
| BIND-9X-001350 - On the BIND 9.x server, the private key corresponding to the zone signing key (ZSK), stored on name servers accepting dynamic updates, must be group owned by named. | CONFIGURATION MANAGEMENT |
| BIND-9X-001360 - The BIND 9.x server implementation must prohibit the forwarding of queries to servers controlled by organizations outside of the U.S. government. | CONFIGURATION MANAGEMENT |
| BIND-9X-001370 - The secondary name servers in a BIND 9.x implementation must be configured to initiate zone update notifications to other authoritative zone name servers. | CONFIGURATION MANAGEMENT |
| BIND-9X-001380 - A BIND 9.x server implementation must prohibit recursion on authoritative name servers. | CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
| BIND-9X-001390 - The primary servers in a BIND 9.x implementation must notify authorized secondary name servers when zone files are updated. | CONFIGURATION MANAGEMENT |
| BIND-9X-001400 - On a BIND 9.x server, all root name servers listed in the local root zone file hosted on a BIND 9.x authoritative name server must be valid for that zone. | CONFIGURATION MANAGEMENT |
| BIND-9X-001410 - On a BIND 9.x server, all root name servers listed in the local root zone file hosted on a BIND 9.x authoritative name server must be empty or removed. | CONFIGURATION MANAGEMENT |
| BIND-9X-001430 - The BIND 9.x server implementation must implement internal/external role separation. | CONFIGURATION MANAGEMENT |
| BIND-9X-001470 - Every NS record in a zone file on a BIND 9.x server must point to an active name server and that name server must be authoritative for the domain specified in that record. | CONFIGURATION MANAGEMENT |
| BIND-9X-001480 - On a BIND 9.x server, all authoritative name servers for a zone must be located on different network segments. | CONFIGURATION MANAGEMENT |
| BIND-9X-001490 - On the BIND 9.x server, the platform on which the name server software is hosted must be configured to send outgoing DNS messages from a random port. | CONFIGURATION MANAGEMENT |
| BIND-9X-001500 - A BIND 9.x server implementation must be operating on a Current-Stable version as defined by ISC. | CONFIGURATION MANAGEMENT |
| BIND-9X-001510 - The host running a BIND 9.x implementation must use a dedicated management interface to separate management traffic from DNS-specific traffic. | CONFIGURATION MANAGEMENT |
| BIND-9X-001520 - The host running a BIND 9.x implementation must use an interface that is configured to process only DNS traffic. | CONFIGURATION MANAGEMENT |
| BIND-9X-001530 - The platform on which the name server software is hosted must only run processes and services needed to support the BIND 9.x implementation. | CONFIGURATION MANAGEMENT |
| BIND-9X-001540 - The core BIND 9.x server files must be group owned by a group designated for DNS administration only. | CONFIGURATION MANAGEMENT |
| BIND-9X-001550 - The core BIND 9.x server files must be owned by the root or BIND 9.x process account. | CONFIGURATION MANAGEMENT |
| BIND-9X-001570 - On a BIND 9.x server, all authoritative name servers for a zone must have the same version of zone information. | CONFIGURATION MANAGEMENT |
| BIND-9X-001580 - On the BIND 9.x server, CNAME records must not point to a zone with lesser security for more than six months. | CONFIGURATION MANAGEMENT |
| BIND-9X-001590 - On the BIND 9.x server, a zone file must not include resource records that resolve to a fully qualified domain name residing in another zone. | CONFIGURATION MANAGEMENT |
| BIND-9X-001600 - The BIND 9.x name server software must run with restricted privileges. | CONFIGURATION MANAGEMENT |
| BIND-9X-001610 - The BIND 9.x implementation must not use a TSIG or DNSSEC key for more than one year. | CONFIGURATION MANAGEMENT |
| BIND-9X-001620 - The permissions assigned to the core BIND 9.x server files must be set to use the least privilege possible. | CONFIGURATION MANAGEMENT |
| BIND-9X-001630 - The host running a BIND 9.x implementation must implement a set of firewall rules that restrict traffic on the DNS interface. | CONFIGURATION MANAGEMENT |
