The BIND 9.x server signature generation using the key signing key (KSK) must be done offline, using the KSK-private key stored offline.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-272373 | SRG-APP-000176-DNS-000096 | BIND-9X-001150 | SV-272373r1124070_rule | 2025-07-24 | 3 |
| Description |
|---|
| The private key in the KSK key pair must be protected from unauthorized access. The private key must be stored offline (with respect to the internet-facing, DNSSEC-aware name server) in a physically secure, nonnetwork-accessible machine along with the zone file primary copy. Failure to protect the private KSK may have significant effects on the overall security of the DNS infrastructure. A compromised KSK could lead to an inability to detect unauthorized DNS zone data resulting in network traffic being redirected to a rogue site. |
| ℹ️ Check |
|---|
| Verify that no private KSKs are stored on the name sever. With the assistance of the DNS administrator, obtain a list of all DNSSEC private keys that are stored on the name server. Inspect the signed zone files(s) and if there are local zones, look for the KSK key ID: DNSKEY 257 3 8 ( <hash_algorithm) ; KSK ; alg = ECDSAP256SHA256; key id = 52807 Verify that none of the identified private keys are KSKs. An example private KSK would look like the following: Kexample.com.+008+52807.private If private KSKs are stored on the name server, this is a finding. |
| ✔️ Fix |
|---|
| Remove all private KSKs from the name server and ensure they are stored offline in a secure location. |