highsystemunverified
Ensure BIND uses the system crypto policy
bind-crypto-policy · RHEL ≥ 8 · 1 impl
Description
If the BIND name server is installed, /etc/named.conf must include /etc/crypto-policies/back-ends/bind.config so DNSSEC and TLS use FIPS-approved algorithms.
Rationale
A BIND server that does not inherit the system crypto policy may use weak, non-FIPS algorithms for DNSSEC signing or transport.
Check → Remediate
Checkcommand
if ! rpm -q bind >/dev/null 2>&1 && [ ! -f /etc/named.conf ]; then
echo "NOT APPLICABLE: BIND (named) not installed"
exit 0
fi
if grep -hqE '^\s*include\s+"?/etc/crypto-policies/back-ends/bind\.config"?' \
/etc/named.conf 2>/dev/null; then
echo "OK: named.conf includes the system crypto policy back-end"
exit 0
fi
echo "FAIL: /etc/crypto-policies/back-ends/bind.config not included in named.conf"
exit 1
- expected_exit:
- 0
Remediatemanual
- note:
- Add to the options section of /etc/named.conf: include "/etc/crypto-policies/back-ends/bind.config";
Framework references
STIG
V-281015 / RHEL-10-300080V-258242 / RHEL-09-672050V-279931 / RHEL-08-010275
NIST 800-53
SC-8
#bind#named#dns#crypto-policy#fips#stig