InformationDo not expose the TSIG key files through insecure network transmission of the files when deployed, or via insecure permissions or shares on any intermediate systems used for the key deployment.
The secret key protects the authenticity and integrity of TSIG communications and disclosure of a key would allow an attacker to perform the authenticated operations such as rndc administrative operations, zone transfers or dynamic updates.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
SolutionPerform the following:
Correct the deployment procedure to ensure secure transmission and intermediate storage protection of keys during deployment.
Regenerate new keys via the corrected procedure and replace all previous TSIG keys.