← Rules Catalog
highsystemunverified

Ensure BIND uses the system crypto policy

bind-crypto-policy · RHEL ≥ 8 · 1 impl

Description

If the BIND name server is installed, /etc/named.conf must include /etc/crypto-policies/back-ends/bind.config so DNSSEC and TLS use FIPS-approved algorithms.

Rationale

A BIND server that does not inherit the system crypto policy may use weak, non-FIPS algorithms for DNSSEC signing or transport.

Check → Remediate

Checkcommand
if ! rpm -q bind >/dev/null 2>&1 && [ ! -f /etc/named.conf ]; then
  echo "NOT APPLICABLE: BIND (named) not installed"
  exit 0
fi
if grep -hqE '^\s*include\s+"?/etc/crypto-policies/back-ends/bind\.config"?' \
     /etc/named.conf 2>/dev/null; then
  echo "OK: named.conf includes the system crypto policy back-end"
  exit 0
fi
echo "FAIL: /etc/crypto-policies/back-ends/bind.config not included in named.conf"
exit 1
expected_exit:
0
Remediatemanual
note:
Add to the options section of /etc/named.conf: include "/etc/crypto-policies/back-ends/bind.config";

Framework references

STIG

V-281015 / RHEL-10-300080V-258242 / RHEL-09-672050V-279931 / RHEL-08-010275

NIST 800-53

SC-8
#bind#named#dns#crypto-policy#fips#stig