STIGQter: STIG Summary: Infoblox 7.x DNS Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

The Zone Signing Key (ZSK) rollover interval must be configured to less than two months.

DISA Rule

SV-214202r612370_rule

Vulnerability Number

V-214202

Group Title

SRG-APP-000516-DNS-000078

Rule Version

IDNS-7X-000710

Severity

CAT II

CCI(s)

CCI-000366 - The organization implements the security configuration settings.

Weight

Fix Recommendation

Navigate to Data Management >> DNS >> Grid DNS Properties. Toggle “Advanced Mode” and select the "DNSSEC" tab.

Modify the “Zone-Signing Key Rollover Interval” to a period of less than two months.

When complete, click "Save & Close" to save the changes and exit the "Properties" screen.

Perform a service restart if necessary.

Follow manual key rollover procedures and ensure changes are published to all applicable systems, including parent DNS systems.

Check Contents

Note: For Infoblox DNS systems on a Classified network, this requirement is Not Applicable.

Review the Infoblox DNSSEC configuration and validate the ZSK rollover interval is configured for a range of no more than two months.
Navigate to Data Management >> DNS >> Grid DNS properties.

Toggle Advanced Mode and click on the "DNSSEC" tab.

Validate the “Zone-Signing Key Rollover Interval” is configured to a value of less than two months.

If the “Zone-Signing Key Rollover Interval” is configured to a value more than two months, this is a finding.

When complete, click "Cancel" to exit the "Properties" screen.

The Zone Signing Key (ZSK) rollover interval must be configured to less than two months.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments