[Forgot Password]
Login  Register Subscribe

30389

 
 

423868

 
 

242976

 
 

909

 
 

192814

 
 

277

Paid content will be excluded from the download.


Download | Alert*
CCE
view XML

CCE-90771-7

Platform: rhel7Date: (C)2017-06-29   (M)2022-10-10



Authenticate Zone Transfers If it is necessary for a secondary nameserver to receive zone dat Avia zone transfer from the primary server, follow the instructions here. Use dnssec-keygen to create a symmetric key file in the current directory: $ cd /tmp $ sudo dnssec-keygen -a HMAC-MD5 -b 128 -n HOST dns.example.com Kdns.example.com .+aaa +iiiii This output is the name of a file containing the new key. Read the file to find the base64-encoded key string: $ sudo cat Kdns.example.com .+NNN +MMMMM .key dns.example.com IN KEY 512 3 157 base64-key-string Add the directives to '/etc/named.conf' on the primary server: key zone-transfer-key { algorithm hmac-md5; secret "base64-key-string "; }; zone "example.com " IN { type master; allow-transfer { key zone-transfer-key; }; ... }; Add the directives below to '/etc/named.conf' on the secondary nameserver: key zone-transfer-key { algorithm hmac-md5; secret "base64-key-string "; }; server IP-OF-MASTER { keys { zone-transfer-key; }; }; zone "example.com " IN { type slave; masters { IP-OF-MASTER ; }; ... };


Parameter:


Technical Mechanism:

The BIND transaction signature (TSIG) functionality allows primary and secondary nameservers to use a shared secret to verify authorization to perform zone transfers. This method is more secure than using IP-based limiting to restrict nameserver access, since IP addresses can be easily spoofed. However, if you cannot configure TSIG between your servers because, for instance, the secondary nameserver is not under your control and its administrators are unwilling to configure TSIG, you can configure an allow-transfer directive with numerical IP addresses or ACLs as a last resort. Fix: No Remediation Info

CCSS Severity:CCSS Metrics:
CCSS Score : Attack Vector:
Exploit Score: Attack Complexity:
Impact Score: Privileges Required:
Severity: User Interaction:
Vector: Scope:
 Confidentiality:
 Integrity:
 Availability:
  

References:
Resource IdReference


XCCDF    1

© SecPod Technologies