8.2 Ensure Signing Keys are Generated with a Secure Algorithm

Information

When Zone Signing Keys (ZSK) or Key Signing Keys (KSK) are generated there are several secure DNSSEC digital signature algorithms that are recommended. The algorithms are listed below with the standard DNSSEC algorithm number followed by the common name, and then the BIND 9 mnemonic name used by dnssec-keygen.

- 8 RSA/SHA-256 RSASHA256

- 10 RSA/SHA-512 RSASHA512

- 13 ECDSA/SHA-256ECDSAP256SHA256

- 14 ECDSA/SHA-384ECDSAP384SHA384

- 15 Ed25519ED25519

Rationale:

A secure public key algorithm along with a secure hash algorithm, are part of the foundation for a secure digital secure. Weaknesses in older public key algorithms continue to develop, and it is important to use a recommended algorithm that is expected to be secure for the near future.

Solution

To remediate a weak key, perform the following:

Generate a new key to replace the weak key using dnssec-keygen and one of the recommended algorithms. Examples commands are shown below.

# dnssec-keygen -a RSASHA256 -b 2048 example.com
# dnssec-keygen -a ECDSAP384SHA384 cisecurity.org

Implement a rollover period to phase out the weak key and replace it with the newly generated key.

Once the key is fully deleted from active use, remove the file.

Default Value:

The default algorithm is RSASHA1.

See Also

https://workbench.cisecurity.org/files/2997

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-12, CSCv7|18.5

Plugin: Unix

Control ID: 0b83732c5a9b1369a83069f5eb0dac9241a78e3da6456cfbfb4121a261aa6c7a