STIGQter: STIG Summary: Domain Name System (DNS) Security Requirements Guide Version: 2 Release: 4 Benchmark Date: 23 Oct 2015:

The validity period for the RRSIGs covering a zones DNSKEY RRSet must be no less than two days and no more than one week.

DISA Rule

SV-69165r1_rule

Vulnerability Number

V-54919

Group Title

SRG-APP-000516-DNS-000078

Rule Version

SRG-APP-000516-DNS-000078

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Configure RRSIGs covering each zone's DNSKEY RRSet to be greater than two days and less than one week.

Check Contents

Review the DNS configuration files. Ensure the validity period for RRSIGs has been explicitly configured and is configured for a range of no less than two days and no more than one week.

If the validity period for the RRSIGs covering a zone's DNSKEY RRSet is less than two days or greater than one week, this is a finding.

Vulnerability Number

V-54919

Documentable

False

Rule Version

SRG-APP-000516-DNS-000078

Severity Override Guidance

Review the DNS configuration files. Ensure the validity period for RRSIGs has been explicitly configured and is configured for a range of no less than two days and no more than one week.

If the validity period for the RRSIGs covering a zone's DNSKEY RRSet is less than two days or greater than one week, this is a finding.

Check Content Reference

M

Target Key

2355

Comments