Detections
Analytics
BIND-9X-001700 - The BIND 9.x server implementation must use separate TSIG key-pairs when securing server-to-server transactions.
Information
Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. This applies to server-to-server (zone transfer) transactions only and is provided by TSIG/SIG(0), which enforces mutual server authentication using a key that is unique to each server pair (TSIG) or using PKI-based authentication (SIG[0]), thus uniquely identifying the other server.NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Create a separate TSIG key-pair for each key statement listed in the named.conf file.Configure the name server to use separate TSIG key-pairs for each key statement listed in the named.conf file.
Restart the BIND 9.x process.
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_BIND_9-x_V3R1_STIG.zip
Item Details
Audit Name: DISA BIND 9.x STIG v3r1
Category: IDENTIFICATION AND AUTHENTICATION
References: 800-53|IA-3, CAT|II, CCI|CCI-000778, Rule-ID|SV-272421r1124019_rule, STIG-ID|BIND-9X-001700, Vuln-ID|V-272421
Plugin: Unix
Control ID: 5076a0efb1f4a198bf92d861cfbf4d60ba6eb1469771829f46b94e79d6c99c89