BIND-9X-001150 - The BIND 9.x server signature generation using the KSK must be done off-line, using the KSK-private key stored off-line.


The private key in the KSK key pair must be protected from unauthorized access. The private key should be stored off-line (with respect to the Internet-facing, DNSSEC-aware name server) in a physically secure, non-network-accessible machine along with the zone file master copy.

Failure to protect the private KSK may have significant effects on the overall security of the DNS infrastructure. A compromised KSK could lead to an inability to detect unauthorized DNS zone data resulting in network traffic being redirected to a rogue site.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.


Remove all private KSKs from the name server and ensure that they are stored offline in a secure location.

See Also

Item Details


References: 800-53|IA-5(2)(b), CAT|I, CCI|CCI-000186, Rule-ID|SV-207576r612253_rule, STIG-ID|BIND-9X-001150, STIG-Legacy|SV-87093, STIG-Legacy|V-72469, Vuln-ID|V-207576

Plugin: Unix

Control ID: 1a26c50ccbee09bf71c80e1a8ebd3f62152a91775948356122ba3f5bc9b470d9