Configure BIND to use System Crypto Policy
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
BIND is supported by crypto policy, but the BIND configuration may be
set up to ignore it.
To check that Crypto Policies settings are configured correctly, ensure that the /etc/named.conf
includes the appropriate configuration:
In the options
section of /etc/named.conf
, make sure that the following line
is not commented out or superseded by later includes:
include "/etc/crypto-policies/back-ends/bind.config";
Overriding the system crypto policy makes the behavior of the BIND service violate expectations,
and makes system configuration more fragmented.
The following script can be run on the host to remediate the issue.
#!/bin/bash
function remediate_bind_crypto_policy() {
CONFIG_FILE="/etc/named.conf"
if test -f "$CONFIG_FILE"; then
sed -i 's|options {|&\n\tinclude "/etc/crypto-policies/back-ends/bind.config";|' "$CONFIG_FILE"
return 0
else
echo "Aborting remediation as '$CONFIG_FILE' was not even found." >&2
return 1
fi
}
remediate_bind_crypto_policy