STIGQter: STIG Summary: Microsoft Windows 2012 Server Domain Name System Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

The validity period for the RRSIGs covering a zones DNSKEY RRSet must be no less than two days and no more than one week.

DISA Rule

SV-215578r561297_rule

Vulnerability Number

V-215578

Group Title

SRG-APP-000516-DNS-000078

Rule Version

WDNS-CM-000008

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Log on to the DNS server using the account designated as Administrator or DNS Administrator.

Press Windows Key + R, execute dnsmgmt.msc.

On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones.

From the expanded list, click to select the zone.

Right-click the zone and select DNSSEC, Properties.

Select the KSK Tab. For the "DNSKEY RRSET signature validity period (hours):" setting, configure to a value between 48-168 hours.

Select the ZSK Tab. For the "DNSKEY signature validity period (hours):" setting, configure to a value between 48-168 hours.

Check Contents

Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network.

Log on to the DNS server using the account designated as Administrator or DNS Administrator.

Press Windows Key + R, execute dnsmgmt.msc.

On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones.

From the expanded list, click to select the zone.

Right-click the zone and select DNSSEC, Properties.

Select the KSK Tab.

Verify the "DNSKEY signature validity period (hours):” is set to at least 48 hours and no more than 168 hours.

Select the ZSK Tab.
Verify the "DNSKEY signature validity period (hours):" is set to at least 48 hours and no more than 168 hours.

If either the KSK or ZSK Tab "DNSKEY signature validity period (hours):" values are set to less than 48 hours or more than 168 hours, this is a finding.

Vulnerability Number

V-215578

Documentable

False

Rule Version

WDNS-CM-000008

Severity Override Guidance

Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network.

Log on to the DNS server using the account designated as Administrator or DNS Administrator.

Press Windows Key + R, execute dnsmgmt.msc.

On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones.

From the expanded list, click to select the zone.

Right-click the zone and select DNSSEC, Properties.

Select the KSK Tab.

Verify the "DNSKEY signature validity period (hours):” is set to at least 48 hours and no more than 168 hours.

Select the ZSK Tab.
Verify the "DNSKEY signature validity period (hours):" is set to at least 48 hours and no more than 168 hours.

If either the KSK or ZSK Tab "DNSKEY signature validity period (hours):" values are set to less than 48 hours or more than 168 hours, this is a finding.

Check Content Reference

M

Target Key

4016

Comments