Disable the dnssec-accept-expired Option

Details

The dnssec-accept-expired option allows BIND to accept expired signatures during validation. The option should be disabled so that expired signatures will not be accepted.

Rationale:

Allowing expired signatures would leave the server vulnerable to replay attacks.

Solution

Change the dnssec-accept-expired option to have a value of “no”, or remove the option from the configuration files.

Default Value:

The dnssec-accept-expired option is disabled by default.

8 Operations – Logging, Monitoring and Maintenance

This section provides recommendations for the BIND server configurations related to operations, updates, logging and monitoring.

Supportive Information

The following resource is also helpful.

https://workbench.cisecurity.org/files/1735https://workbench.cisecurity.org/files/1735

This control applies to the following type of system Unix.

References

CSCv6|9

Source

Tenable.com/audits

Updated on July 16, 2022

Was this article helpful?

Yes No

Details

Solution

Supportive Information

References

Source

Related Articles