STIGQter: STIG Summary: Domain Name System (DNS) Security Requirements Guide Version: 2 Release: 4 Benchmark Date: 23 Oct 2015: STIGQter: STIG Summary: Domain Name System (DNS) Security Requirements Guide Version: 2 Release: 4 Benchmark Date: 23 Oct 2015:SV-69187r1_rule
V-54941
SRG-APP-000516-DNS-000097
SRG-APP-000516-DNS-000097
CAT II
10
Configure the DNS implementation to be compliant to the IETF specifications for DNS.
Protect DNS transactions, such as update of DNS name resolution data and data replication that involve DNS nodes within an enterprise's control. The transactions should be protected using hash-based message authentication codes based on shared secrets, as outlined in Internet Engineering Task Force's (IETF) Transaction Signature (TSIG) specification.
Protect the ubiquitous DNS query/response transaction that could involve any DNS node in the global Internet using digital signatures based on asymmetric cryptography, as outlined in IETF's Domain Name System Security Extension (DNSSEC) specification.
Review DNS implementation documentation to determine whether the DNS system has capabilities compliant to IETF RFC-1034 (Domain Names-Concepts and Facilities), RFC-1035 (Domain Names-Implementation and Specification), and subsequent RFCs. Systems using DNSSEC (DNS Security Extensions) should be compliant to RFC-4033 (DNS Security Introduction and Requirements), RFC-4024 (Resource Records for the DNS Security Extensions), RFC-4035 (Protocol Modifications for the DNS security Extensions), RFC-5155 (DNS Security (DNSSEC) Hashed Authenticated Denial of Existence) and related RFCs.
A DNS implementation may also be found non-compliant by empirical analysis, i.e., by experimentally querying and examine the answer. For example, a DNS implementation may not answer a query for the 'NS' resource record type with a CNAME reply.
If the implementation does not comply to the IETF DNS RFCs, this is a finding.
V-54941
False
SRG-APP-000516-DNS-000097
Review DNS implementation documentation to determine whether the DNS system has capabilities compliant to IETF RFC-1034 (Domain Names-Concepts and Facilities), RFC-1035 (Domain Names-Implementation and Specification), and subsequent RFCs. Systems using DNSSEC (DNS Security Extensions) should be compliant to RFC-4033 (DNS Security Introduction and Requirements), RFC-4024 (Resource Records for the DNS Security Extensions), RFC-4035 (Protocol Modifications for the DNS security Extensions), RFC-5155 (DNS Security (DNSSEC) Hashed Authenticated Denial of Existence) and related RFCs.
A DNS implementation may also be found non-compliant by empirical analysis, i.e., by experimentally querying and examine the answer. For example, a DNS implementation may not answer a query for the 'NS' resource record type with a CNAME reply.
If the implementation does not comply to the IETF DNS RFCs, this is a finding.
M
2355