The BIND 9.x server implementation must use separate TSIG key-pairs when securing server-to-server transactions.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-272421	SRG-APP-000158-DNS-000015	BIND-9X-001700	SV-272421r1124019_rule	2025-07-24	3

Description
Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. This applies to server-to-server (zone transfer) transactions only and is provided by TSIG/SIG(0), which enforces mutual server authentication using a key that is unique to each server pair (TSIG) or using PKI-based authentication (SIG[0]), thus uniquely identifying the other server.

Description

Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. This applies to server-to-server (zone transfer) transactions only and is provided by TSIG/SIG(0), which enforces mutual server authentication using a key that is unique to each server pair (TSIG) or using PKI-based authentication (SIG[0]), thus uniquely identifying the other server.

ℹ️ Check
Verify that the BIND 9.x server is configured to use separate TSIG key-pairs when securing server-to-server transactions. Inspect the "named.conf" file for the presence of TSIG key statements: On the primary name server, this is an example of a configured key statement: key tsig_example. { algorithm hmac-SHA256; include "tsig-example.key"; }; zone "disa.mil" { type Primary; file "db.disa.mil"; allow-transfer { key tsig_example.; }; }; On the secondary name server, this is an example of a configured key statement: key tsig_example. { algorithm hmac-SHA256; include "tsig-example.key"; }; server <ip_address> { keys { tsig_example }; }; zone "disa.mil" { type Secondary; Primarys { <ip_address>; }; file "db.disa.mil"; }; Verify that each TSIG key-pair listed is only used by a single key statement: # cat <tsig_key_file> If any TSIG key-pair is being used by more than one key statement, this is a finding.

ℹ️ Check

Verify that the BIND 9.x server is configured to use separate TSIG key-pairs when securing server-to-server transactions. Inspect the "named.conf" file for the presence of TSIG key statements: On the primary name server, this is an example of a configured key statement: key tsig_example. { algorithm hmac-SHA256; include "tsig-example.key"; }; zone "disa.mil" { type Primary; file "db.disa.mil"; allow-transfer { key tsig_example.; }; }; On the secondary name server, this is an example of a configured key statement: key tsig_example. { algorithm hmac-SHA256; include "tsig-example.key"; }; server <ip_address> { keys { tsig_example }; }; zone "disa.mil" { type Secondary; Primarys { <ip_address>; }; file "db.disa.mil"; }; Verify that each TSIG key-pair listed is only used by a single key statement: # cat <tsig_key_file> If any TSIG key-pair is being used by more than one key statement, this is a finding.

✔️ Fix
Create a separate TSIG key-pair for each key statement listed in the named.conf file. Configure the name server to use separate TSIG key-pairs for each key statement listed in the named.conf file. Restart the BIND 9.x process.