STIGQter: STIG Summary: Infoblox 7.x DNS Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

Signature generation using the KSK must be done off-line, using the KSK-private stored off-line.

DISA Rule

SV-214166r612370_rule

Vulnerability Number

V-214166

Group Title

SRG-APP-000176-DNS-000096

Rule Version

IDNS-7X-000190

Severity

CAT II

CCI(s)

CCI-000186 - The information system, for PKI-based authentication, enforces authorized access to the corresponding private key.

Weight

Fix Recommendation

If the Grid Master stores the keys, review each DNS zone name server configuration to ensure the Grid Master does not appear as a name server (NS record); when configured in this manner the Grid Master is configured as a stealth name server and does not service client requests.

Refer to the Infoblox STIG Overview document for additional information on HSM usage.

Check Contents

Note: For Infoblox DNS systems on a Classified network, this requirement is Not Applicable.

By default KSK private keys are stored on the Grid Master. The Grid Master will by default enable the DNS service when DNSSEC is enabled for internal processing. No clients are permitted to utilize the Grid Master DNS service.

Navigate to Data Management >> DNS >> Zones.

Review each zone by selecting the zone and clicking edit, and selecting the "Name Servers" tab.

If the Grid Master is a listed name server and not marked "Stealth", this is a finding.

If a HSM is utilized, no further checks are necessary.

When complete, click "Cancel" to exit the "Properties" screen.

Signature generation using the KSK must be done off-line, using the KSK-private stored off-line.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments