STIGQter: STIG Summary: Domain Name System (DNS) Security Requirements Guide Version: 2 Release: 4 Benchmark Date: 23 Oct 2015:

NSEC3 must be used for all internal DNS zones.

DISA Rule

SV-69167r1_rule

Vulnerability Number

V-54921

Group Title

SRG-APP-000516-DNS-000084

Rule Version

SRG-APP-000516-DNS-000084

Severity

CAT II

CCI(s)

CCI-000366 - The organization implements the security configuration settings.

Weight

Fix Recommendation

Configure all internal zones to use the NSEC3 RR option for authenticated denial of existence.

Check Contents

Review the zone file's configuration for internal zones and confirm the NSEC3 RR option is used to provide authenticated denial of existence.

If the NSEC3 RR option is not used for internal zones, this is a finding.

Vulnerability Number

V-54921

Documentable

False

Rule Version

SRG-APP-000516-DNS-000084

Severity Override Guidance

Check Content Reference

Target Key

2355

NSEC3 must be used for all internal DNS zones.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments