Details

A unique TSIG key should be used for each pair of communicating hosts. For example if there is one master authoritative name server and three slave authoritative name servers that were updated by the master, then there would need to be a unique TSIG key for at least the following:

– Master <-> Slave1

– Master <-> Slave2

– Master <-> Slave3

Rationale:

Each communication channel should have a unique key, to reduce the risk of key disclosure. If one of the TSIG keys or one of the slave servers is compromised, then the remaining TSIG keys are not disclosed.

Solution

Generate unique keys for host to host communication. The command below can be used to generate 2 files, and .key file and a .private file with secret keys of suitable length with base64 encoding.?? The files themselves are not needed, and should be securely deleted once the values are copied into a key file for including in the named configuration.

$ dnssec-keygen -a HMAC-SHA256 -b 256 -n HOST ns1-ns2.cisecurity.org
Kns1-ns2.cisecurity.org.+163+13013

$ cat Kns1-ns2.cisecurity.org.+163+13013.key
ns1-ns2.cisecurity.org. IN KEY 512 3 163 9FQ2dYCQ17HJwDi/uHgANh2dlb8M7eb+F4AjML8tTdA=

Default Value:

The rndc key is automatically generated during package installation.

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/1735https://workbench.cisecurity.org/files/1735

This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Unix.

References

• 800-53|CM-6b.
• CSCv6|14

Source

• Tenable.com/audits