A BIND 9.x server must implement NIST FIPS-validated cryptography for provisioning digital signatures and generating cryptographic hashes.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-272436 | SRG-APP-000514-DNS-000075 | BIND-9X-002050 | SV-272436r1123956_rule | 2025-07-24 | 3 |
| Description |
|---|
| Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The application must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. |
| ℹ️ Check |
|---|
| Verify that the DNSSEC and TSIG keys used by the BIND 9.x implementation are FIPS compliant. If the server is in a classified network, the DNSSEC portion of the requirement is Not Applicable. DNSSEC keys: Inspect the "named.conf" file and identify all of the DNSSEC signed zone files: zone "example.com" { file "signed_zone_file"; }; For each signed zone file identified, inspect the file for the "DNSKEY" records: 86400 DNSKEY 257 3 8 ( <KEY HASH> ) ; KSK; 86400 DNSKEY 256 3 8 ( <KEY HASH> ) ; ZSK; The fifth field in the above example identifies what algorithm was used to create the DNSKEY. If the fifth field, if the KSK DNSKEY is less than "8" (SHA256), this is a finding. If the algorithm used to create the ZSK is less than "8" (SHA256), this is a finding. TSIG keys: Inspect the "named.conf" file and identify all of the TSIG key statements: key tsig_example. { algorithm hmac-SHA256; include "tsig-example.key"; }; If each key statement does not use "hmac-SHA256" or a stronger algorithm, this is a finding. |
| ✔️ Fix |
|---|
| Create new DNSSEC and TSIG keys using a FIPS-approved cryptographic algorithm that meets or exceeds the strength of SHA-256. |