STIGQter: STIG Summary: Microsoft Windows 2012 Server Domain Name System Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

The private key corresponding to the ZSK must only be stored on the name server that does support dynamic updates.

DISA Rule

SV-215607r561297_rule

Vulnerability Number

V-215607

Group Title

SRG-APP-000176-DNS-000094

Rule Version

WDNS-IA-000009

Severity

CAT II

CCI(s)

• CCI-000186 - The information system, for PKI-based authentication, enforces authorized access to the corresponding private key.

Weight

10

Fix Recommendation

Ensure the private key corresponding to the ZSK is only stored on the name server accepting dynamic updates.

Check Contents

Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network.

Note: This requirement is not applicable to servers with only a caching role.

For Active Directory-integrated zones, private zone signing keys replicate automatically to all primary DNS servers through Active Directory replication. Each authoritative server signs its own copy of the zone when it receives the key. For optimal performance, and to prevent increasing the size of the Active Directory database file, the signed copy of the zone remains in memory for Active Directory-integrated zones. A DNSSEC-signed zone is only committed to disk for file-backed zones. Secondary DNS servers pull a full copy of the zone, including signatures, from the primary DNS server.

If all DNS servers are AD integrated, this check is not applicable.

If a DNS server is not AD integrated and has file-backed zones, does not accept dynamic updates and has a copy of the private key corresponding to the ZSK, this is a finding.

Vulnerability Number

V-215607

Documentable

False

Rule Version

WDNS-IA-000009

Severity Override Guidance

Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network.

Note: This requirement is not applicable to servers with only a caching role.

For Active Directory-integrated zones, private zone signing keys replicate automatically to all primary DNS servers through Active Directory replication. Each authoritative server signs its own copy of the zone when it receives the key. For optimal performance, and to prevent increasing the size of the Active Directory database file, the signed copy of the zone remains in memory for Active Directory-integrated zones. A DNSSEC-signed zone is only committed to disk for file-backed zones. Secondary DNS servers pull a full copy of the zone, including signatures, from the primary DNS server.

If all DNS servers are AD integrated, this check is not applicable.

If a DNS server is not AD integrated and has file-backed zones, does not accept dynamic updates and has a copy of the private key corresponding to the ZSK, this is a finding.

Check Content Reference

M

Target Key

4016

Comments