The digital signature algorithm used for DNSSEC-enabled zones must be set to use RSA/SHA256 or RSA/SHA512.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
high	V-265986	SRG-APP-000516-DNS-000090	F5BI-DN-300017	SV-265986r1024860_rule	2024-09-09	1

Description
The choice of digital signature algorithm will be based on recommended algorithms in well-known standards. NIST's Digital Signature Standard (DSS) (FIPS186) provides three algorithm choices: - Digital Signature Algorithm (DSA); - RSA; - Elliptic Curve DSA (ECDSA). Of these three algorithms, RSA and DSA are more widely available, and hence are considered candidates of choice for DNSSEC. In terms of performance, both RSA and DSA have comparable signature generation speeds, but DSA is much slower for signature verification. Hence, RSA is the recommended algorithm as far as this guideline is concerned. RSA with SHA-1 is currently the only cryptographic algorithm mandated to be implemented with DNSSEC, although other algorithm suites (e.g., RSA/SHA-256, ECDSA) are also specified. It can be expected that name servers and clients will be able to use the RSA algorithm at the minimum. It is suggested that at least one ZSK for a zone use the RSA algorithm. SHA-256, SHA-384, and SHA-512 are approved hash algorithms to be used as part of the algorithm suite for generating digital signatures. It is expected that there will be support for Elliptic Curve Cryptography in the DNSSEC.

Description

The choice of digital signature algorithm will be based on recommended algorithms in well-known standards. NIST's Digital Signature Standard (DSS) (FIPS186) provides three algorithm choices: - Digital Signature Algorithm (DSA); - RSA; - Elliptic Curve DSA (ECDSA). Of these three algorithms, RSA and DSA are more widely available, and hence are considered candidates of choice for DNSSEC. In terms of performance, both RSA and DSA have comparable signature generation speeds, but DSA is much slower for signature verification. Hence, RSA is the recommended algorithm as far as this guideline is concerned. RSA with SHA-1 is currently the only cryptographic algorithm mandated to be implemented with DNSSEC, although other algorithm suites (e.g., RSA/SHA-256, ECDSA) are also specified. It can be expected that name servers and clients will be able to use the RSA algorithm at the minimum. It is suggested that at least one ZSK for a zone use the RSA algorithm. SHA-256, SHA-384, and SHA-512 are approved hash algorithms to be used as part of the algorithm suite for generating digital signatures. It is expected that there will be support for Elliptic Curve Cryptography in the DNSSEC.

ℹ️ Check
Verify automatically managed zone-signing keys for BIG-IP DNS to use in the DNSSEC authentication process have been configured. On the Main tab, click "DNS Delivery Keys DNSSEC Key List". The DNSSEC Key List screen opens. If the Digital signature algorithm used for DNSSEC-enabled zones is not set to use RSA/SHA256 or RSASHA512, this is a finding.

✔️ Fix
Create automatically managed zone-signing keys for BIG-IP DNS to use in the DNSSEC authentication process. 1. On the Main tab, click "DNS Delivery Keys DNSSEC Key List". The DNSSEC Key List screen opens. 2. Click "Create". The New DNSSEC Key screen opens. 3. In the "Name" field, type a name for the key. Zone names are limited to 63 characters. 4. From the "Type" list, select "Zone Signing Key". 5. From the "State" list, select "Enabled". 6. From the "Hardware Security Module" list, select "None". 7. From the "Algorithm" list, select the digest algorithm the system uses to generate the key signature. Select RSA/SHA256 or RSA/SHA512. 8. From the "Key Management" list, select "Automatic". The Key Settings area displays fields for key configuration. 9. In the "Bit Width" field, type "1024". 10. In the "TTL" field, accept the default value of 86400 (the number of seconds in one day.) This value specifies how long a client resolver can cache the key. This value must be less than the difference between the values of the rollover and expiration periods of the key; otherwise, a client can make a query and the system can send a valid key that the client cannot recognize. 11. For the "Rollover Period" setting, in the "Days" field, type "21". 12. For the "Expiration Period" setting, in the "Days" field, type "30". Zero seconds indicates not set, and thus the key does not expire. 13. For the "Signature Validity Period" setting, accept the default value of seven days. This value must be greater than the value of the signature publication period. Zero seconds indicates not set, and thus the server verifying the signature never succeeds, because the signature is always expired. 14. For the "Signature Publication Period" setting, accept the default value of four days and 16 hours. This value must be less than the value of the signature validity period. Zero seconds indicates not set, and thus the signature is not cached. 15. Click "Finished". To create a standby key for emergency rollover purposes, repeat these steps using a similar name, and select "Disabled" from the State list.

✔️ Fix

Create automatically managed zone-signing keys for BIG-IP DNS to use in the DNSSEC authentication process. 1. On the Main tab, click "DNS Delivery Keys DNSSEC Key List". The DNSSEC Key List screen opens. 2. Click "Create". The New DNSSEC Key screen opens. 3. In the "Name" field, type a name for the key. Zone names are limited to 63 characters. 4. From the "Type" list, select "Zone Signing Key". 5. From the "State" list, select "Enabled". 6. From the "Hardware Security Module" list, select "None". 7. From the "Algorithm" list, select the digest algorithm the system uses to generate the key signature. Select RSA/SHA256 or RSA/SHA512. 8. From the "Key Management" list, select "Automatic". The Key Settings area displays fields for key configuration. 9. In the "Bit Width" field, type "1024". 10. In the "TTL" field, accept the default value of 86400 (the number of seconds in one day.) This value specifies how long a client resolver can cache the key. This value must be less than the difference between the values of the rollover and expiration periods of the key; otherwise, a client can make a query and the system can send a valid key that the client cannot recognize. 11. For the "Rollover Period" setting, in the "Days" field, type "21". 12. For the "Expiration Period" setting, in the "Days" field, type "30". Zero seconds indicates not set, and thus the key does not expire. 13. For the "Signature Validity Period" setting, accept the default value of seven days. This value must be greater than the value of the signature publication period. Zero seconds indicates not set, and thus the server verifying the signature never succeeds, because the signature is always expired. 14. For the "Signature Publication Period" setting, accept the default value of four days and 16 hours. This value must be less than the value of the signature validity period. Zero seconds indicates not set, and thus the signature is not cached. 15. Click "Finished". To create a standby key for emergency rollover purposes, repeat these steps using a similar name, and select "Disabled" from the State list.