STIGQter: STIG Summary: Infoblox 7.x DNS Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

NSEC3 must be used for all internal DNS zones.

DISA Rule

SV-214203r612370_rule

Vulnerability Number

V-214203

Group Title

SRG-APP-000516-DNS-000084

Rule Version

IDNS-7X-000720

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Navigate to Data Management >> DNS >> Grid DNS Properties.

Toggle Advanced Mode and edit the "DNSSEC" tab.
Ensure "Resource Record Type for Nonexistent Proof" is set to NSEC3.
Re-sign all DNSSEC zones which previously used NSEC.

Check Contents

Note: For Infoblox DNS systems on a Classified network, this requirement is Not Applicable.

Review the zone configuration and confirm that, if DNSSEC is enabled NSEC3 is utilized.

Review zone data or use Global Search string ".".
Type Equals NSEC Record to verify no undesired NSEC records exists.

If NSEC records exist in an active zone, this is a finding.

Vulnerability Number

V-214203

Documentable

False

Rule Version

IDNS-7X-000720

Severity Override Guidance

Note: For Infoblox DNS systems on a Classified network, this requirement is Not Applicable.

Review the zone configuration and confirm that, if DNSSEC is enabled NSEC3 is utilized.

Review zone data or use Global Search string ".".
Type Equals NSEC Record to verify no undesired NSEC records exists.

If NSEC records exist in an active zone, this is a finding.

Check Content Reference

M

Target Key

3995

Comments