The read and write access to a TSIG key file used by a BIND 9.x server must be restricted to only the account that runs the name server software.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-272375	SRG-APP-000176-DNS-000019	BIND-9X-001180	SV-272375r1123858_rule	2025-07-24	3

Description
Weak permissions of a TSIG key file could allow an adversary to modify the file, thus defeating the security objective.

ℹ️ Check
Verify permissions assigned to the TSIG keys enforce read-write access to the key owner and deny access to group or system users. With the assistance of the DNS administrator, determine the location of the TSIG keys used by the BIND 9.x implementation: # ls -al <TSIG_Key_Location> -rw-r-----. 1 root named 76 May 10 20:35 tsig-example.key If the key files are more permissive than 640, this is a finding.

ℹ️ Check

Verify permissions assigned to the TSIG keys enforce read-write access to the key owner and deny access to group or system users. With the assistance of the DNS administrator, determine the location of the TSIG keys used by the BIND 9.x implementation: # ls -al <TSIG_Key_Location> -rw-r-----. 1 root named 76 May 10 20:35 tsig-example.key If the key files are more permissive than 640, this is a finding.

✔️ Fix
Change the permissions of the TSIG key files: # chmod 640 <TSIG_key_file>