STIGQter: STIG Summary: Domain Name System (DNS) Security Requirements Guide Version: 2 Release: 4 Benchmark Date: 23 Oct 2015:

Signature generation using the KSK must be done off-line, using the KSK-private stored off-line.

DISA Rule

SV-69057r1_rule

Vulnerability Number

V-54811

Group Title

SRG-APP-000176-DNS-000096

Rule Version

SRG-APP-000176-DNS-000096

Severity

CAT II

CCI(s)

• CCI-000186 - The information system, for PKI-based authentication, enforces authorized access to the corresponding private key.

Weight

10

Fix Recommendation

Create operation documentation to include the safe management of keys and key storage within the DNS implementation. Include in the documentation steps to ensure signature generation using the KSK are done off-line, using the KSK-private stored off-line or the secure, protected module.

Check Contents

Verify the DNS operational procedures and confirm procedures exist to enforce generating signatures using the KSK are performed off-line, using the KSK-private stored off-line or the secure, protected module.

If the procedures do not exist or the procedures do not specify to perform the signature generation off-line from the name server, this is a finding.

Vulnerability Number

V-54811

Documentable

False

Rule Version

SRG-APP-000176-DNS-000096

Severity Override Guidance

Verify the DNS operational procedures and confirm procedures exist to enforce generating signatures using the KSK are performed off-line, using the KSK-private stored off-line or the secure, protected module.

If the procedures do not exist or the procedures do not specify to perform the signature generation off-line from the name server, this is a finding.

Check Content Reference

M

Target Key

2355

Comments