STIGQter: STIG Summary: Domain Name System (DNS) Security Requirements Guide Version: 2 Release: 4 Benchmark Date: 23 Oct 2015:

A DNS server implementation must provide the means to indicate the security status of child zones.

DISA Rule

SV-69063r1_rule

Vulnerability Number

V-54817

Group Title

SRG-APP-000214-DNS-000025

Rule Version

SRG-APP-000214-DNS-000025

Severity

CAT II

CCI(s)

• CCI-001179 - The information system, when operating as part of a distributed, hierarchical namespace, provides the means to indicate the security status of child zones.

Weight

10

Fix Recommendation

Configure each child zone to upload its DS RRset to the parent zone.

Check Contents

Review the zones hosted by the DNS server. Every zone should have an RRSET which includes the RRTypes of RRSIG, DNSKEY and NSEC.

If a zone has a child, the RRSET should also include the RRType DS (Delegation Signer) RR, which contain the (hash) public key of child zones.

If the zones hosted by the DNS server do not have any child domains, this is not a finding.

If the zones hosted by the DNS server have child domains, and there is not an RRType DS RR in the zone's RRSET, this is a finding.

Vulnerability Number

V-54817

Documentable

False

Rule Version

SRG-APP-000214-DNS-000025

Severity Override Guidance

Review the zones hosted by the DNS server. Every zone should have an RRSET which includes the RRTypes of RRSIG, DNSKEY and NSEC.

If a zone has a child, the RRSET should also include the RRType DS (Delegation Signer) RR, which contain the (hash) public key of child zones.

If the zones hosted by the DNS server do not have any child domains, this is not a finding.

If the zones hosted by the DNS server have child domains, and there is not an RRType DS RR in the zone's RRSET, this is a finding.

Check Content Reference

M

Target Key

2355

Comments