STIGQter: STIG Summary: Microsoft Windows 2012 Server Domain Name System Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: Microsoft Windows 2012 Server Domain Name System Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:SV-215619r561297_rule
V-215619
SRG-APP-000215-DNS-000026
WDNS-SC-000011
CAT II
10
A DS records must be added manually or imported.
The DS resource record set (DSSET) is automatically added as a file to the Key Master when a zone is signed.
This file can be used with the Import-DnsServerResourceRecordDS cmdlet to import DS records to the parent zone.
Example:
PS C:\> Import-DnsServerResourceRecordDS -ZoneName adatum.com -DSSetFile "c:\windows\system32\dns\dsset-corp.adatum.com"
Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network.
Validate this check from the Windows 2012 DNS server being configured/reviewed.
Log on to the Windows 2012 DNS server using the account designated as Administrator or DNS Administrator.
Determine a valid host in the zone.
Open the Windows PowerShell prompt on the Windows 2012 DNS server being configured/reviewed.
Issue the following command:
PS C:\> Get-DnsServerResourceRecord -ZoneName adatum.com -RRType DS
Replace adatum.com with the parent zone on the DNS server being evaluated.
HostName RecordType Timestamp TimeToLive RecordData
-------- ---------- --------- ---------- ----------
corp DS 0 01:00:00 [58555][Sha1][RsaSha1NSec3]
corp DS 0 01:00:00 [58555][Sha256][RsaSha1NSec3]
corp DS 0 01:00:00 [63513][Sha1][RsaSha1NSec3]
corp DS 0 01:00:00 [63513][Sha256][RsaSha1NSec3]
If the results do not show the DS records for child domain(s), this is a finding.
In the previous example, DS records for the child zone, corp.adatum.com, were imported into the parent zone, adatum.com, by using the DSSET file that is located in the c:\windows\system32\dns directory. The DSSET file was located in this directory because the local DNS server is the Key Master for the child zone.
If the Key Master DNS server for a child zone is not the same computer as the primary authoritative DNS server for the parent zone where the DS record is being added, the DSSET file must be obtained for the child zone and made available to the primary authoritative server for the parent zone. Alternatively, the DS records can be added manually.
V-215619
False
WDNS-SC-000011
Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network.
Validate this check from the Windows 2012 DNS server being configured/reviewed.
Log on to the Windows 2012 DNS server using the account designated as Administrator or DNS Administrator.
Determine a valid host in the zone.
Open the Windows PowerShell prompt on the Windows 2012 DNS server being configured/reviewed.
Issue the following command:
PS C:\> Get-DnsServerResourceRecord -ZoneName adatum.com -RRType DS
Replace adatum.com with the parent zone on the DNS server being evaluated.
HostName RecordType Timestamp TimeToLive RecordData
-------- ---------- --------- ---------- ----------
corp DS 0 01:00:00 [58555][Sha1][RsaSha1NSec3]
corp DS 0 01:00:00 [58555][Sha256][RsaSha1NSec3]
corp DS 0 01:00:00 [63513][Sha1][RsaSha1NSec3]
corp DS 0 01:00:00 [63513][Sha256][RsaSha1NSec3]
If the results do not show the DS records for child domain(s), this is a finding.
In the previous example, DS records for the child zone, corp.adatum.com, were imported into the parent zone, adatum.com, by using the DSSET file that is located in the c:\windows\system32\dns directory. The DSSET file was located in this directory because the local DNS server is the Key Master for the child zone.
If the Key Master DNS server for a child zone is not the same computer as the primary authoritative DNS server for the parent zone where the DS record is being added, the DSSET file must be obtained for the child zone and made available to the primary authoritative server for the parent zone. Alternatively, the DS records can be added manually.
M
4016