Details
The TSIG secret keys used by the name server should be generated from a good source of entropy and should be at least 256 bits in length.
Rationale:
Weak cryptographic keys may allow cryptographic attacks to discover the key value, through repeated guesses. A strong HMAC key requires a good source of entropy and at least 256 bits in length.
Solution
For remediation, replace any keys which are too short with a securely generated key with a length of 256 or 512. The tsig-keygen command below can be used to generate a key.
# tsig-keygen -a sha256 ns1-ns4.example.net > ns1-ns4.example.net.key
# cat ns1-ns4.example.net.key
key ‘ns1-ns4.example.net’ {
algorithm hmac-sha256;
secret ‘ezoZopbE4Q73HShuFYlf3FRvLWjtNXI5fd0TeQAYOug=’;
};
Ensure the key file has the appropriate file permissions, and include the file in the named configuration file.
Default Value:
The rndc key is generated as 256 bits during bind-utils package install, and the nsupdate session key is dynamically generated with a length of 256 bits.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Unix.