{"description": "If it is necessary for a secondary nameserver to receive zone data\nvia zone transfer from the primary server, follow the instructions here.  Use\ndnssec-keygen to create a symmetric key file in the current directory:\n<pre>$ cd /tmp\n$ sudo dnssec-keygen -a HMAC-MD5 -b 128 -n HOST dns.example.com\nKdns.example.com .+aaa +iiiii</pre>\nThis output is the name of a file containing the new key. Read the file to find\nthe base64-encoded key string:\n<pre>$ sudo cat Kdns.example.com .+NNN +MMMMM .key\ndns.example.com IN KEY 512 3 157 base64-key-string</pre>\nAdd the directives to <tt>/etc/named.conf</tt> on the primary server:\n<pre>key zone-transfer-key {\n  algorithm hmac-md5;\n  secret \"base64-key-string \";\n};\nzone \"example.com \" IN {\n  type master;\n  allow-transfer { key zone-transfer-key; };\n  ...\n};</pre>\nAdd the directives below to <tt>/etc/named.conf</tt> on the secondary nameserver:\n<pre>key zone-transfer-key {\n  algorithm hmac-md5;\n  secret \"base64-key-string \";\n};\n\nserver IP-OF-MASTER {\n  keys { zone-transfer-key; };\n};\n\nzone \"example.com \" IN {\n  type slave;\n  masters { IP-OF-MASTER ; };\n  ...\n};</pre>", "rationale": "The BIND transaction signature (TSIG) functionality allows primary\nand secondary nameservers to use a shared secret to verify authorization to\nperform zone transfers. This method is more secure than using IP-based limiting\nto restrict nameserver access, since IP addresses can be easily spoofed.\nHowever, if you cannot configure TSIG between your servers because, for\ninstance, the secondary nameserver is not under your control and its\nadministrators are unwilling to configure TSIG, you can configure an\nallow-transfer directive with numerical IP addresses or ACLs as a last resort.", "severity": "medium", "references": {"cis-csc": ["11", "14", "3", "9"], "cobit5": ["BAI10.01", "BAI10.02", "BAI10.03", "BAI10.05", "DSS05.02", "DSS05.05", "DSS06.06"], "isa-62443-2009": ["4.3.3.5.1", "4.3.3.5.2", "4.3.3.5.3", "4.3.3.5.4", "4.3.3.5.5", "4.3.3.5.6", "4.3.3.5.7", "4.3.3.5.8", "4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9", "4.3.3.7.1", "4.3.3.7.2", "4.3.3.7.3", "4.3.3.7.4", "4.3.4.3.2", "4.3.4.3.3"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.11", "SR 1.12", "SR 1.13", "SR 1.2", "SR 1.3", "SR 1.4", "SR 1.5", "SR 1.6", "SR 1.7", "SR 1.8", "SR 1.9", "SR 2.1", "SR 2.2", "SR 2.3", "SR 2.4", "SR 2.5", "SR 2.6", "SR 2.7", "SR 7.6"], "iso27001-2013": ["A.12.1.2", "A.12.5.1", "A.12.6.2", "A.14.2.2", "A.14.2.3", "A.14.2.4", "A.9.1.2"], "nist": ["CM-7(a)", "CM-7(b)", "CM-6(a)"], "nist-csf": ["PR.IP-1", "PR.PT-3"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": null, "ocil": null, "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "The purpose of the dnssec-keygen command is to\ncreate the shared secret string base64-key-string. Once this secret has been\nobtained and inserted into named.conf on the primary and secondary servers, the\nkey files Kdns.example.com .+NNN +MMMMM .key and Kdns.example.com .+NNN +MMMMM\n.private are no longer needed, and may safely be deleted."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": [], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Authenticate Zone Transfers", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/services/dns/dns_server_protection/dns_server_authenticate_zone_transfers/rule.yml", "template": null}