The BIND 9.x server implementation must use separate TSIG key-pairs when securing server-to-server transactions.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-272421 | SRG-APP-000158-DNS-000015 | BIND-9X-001700 | SV-272421r1124019_rule | 2026-05-01 | 3 |
Description
Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. This applies to server-to-server (zone transfer) transactions only and is provided by TSIG/SIG(0), which enforces mutual server authentication using a key that is unique to each server pair (TSIG) or using PKI-based authentication (SIG[0]), thus uniquely identifying the other server.
ℹ️ Check
Verify that the BIND 9.x server is configured to use separate TSIG key-pairs when securing server-to-server transactions.
Inspect the "named.conf" file for the presence of TSIG key statements:
On the primary name server, this is an example of a configured key statement:
key tsig_example. {
algorithm hmac-SHA256;
include "tsig-example.key";
};
zone "disa.mil" {
type Primary;
file "db.disa.mil";
allow-transfer { key tsig_example.; };
};
On the secondary name server, this is an example of a configured key statement:
key tsig_example. {
algorithm hmac-SHA256;
include "tsig-example.key";
};
server <ip_address> {
keys { tsig_example };
};
zone "disa.mil" {
type Secondary;
Primarys { <ip_address>; };
file "db.disa.mil";
};
Verify that each TSIG key-pair listed is only used by a single key statement:
# cat <tsig_key_file>
If any TSIG key-pair is being used by more than one key statement, this is a finding.
✔️ Fix
Create a separate TSIG key-pair for each key statement listed in the named.conf file.
Configure the name server to use separate TSIG key-pairs for each key statement listed in the named.conf file.
Restart the BIND 9.x process.