STIGQter STIGQter: STIG Summary: Infoblox 8.x DNS Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 09 Jan 2021:

The validity period for the Resource Record Signatures (RRSIGs) covering the Delegation Signer (DS) RR for a zone's delegated children must be no less than two days and no more than one week.

DISA Rule

SV-233910r621666_rule

Vulnerability Number

V-233910

Group Title

SRG-APP-000214-DNS-000079

Rule Version

IDNS-8X-700005

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

1. Navigate to Data Management >> DNS >> Grid DNS properties.
2. Toggle Advanced Mode, click on "DNSSEC" tab, and edit the "Signature Validity" setting to a period between two days and one week.
3. When complete, click "Save & Close" to save the changes and exit the "Properties" screen.
4. Any zones that used an incorrect value should perform a ZSK rollover to update the inception and expiration dates with the new value.
5. Navigate to Data Management >> DNS and select the "Zones" tab.
6. Using the zone selection check boxes and the DNSSEC drop-down menu, select "Rollover Zone-Signing Key".
7. When prompted, select "Roll Over".
8. Perform a service restart if necessary.

Check Contents

Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable.

1. Navigate to Data Management >> DNS >> Grid DNS properties.
2. Toggle Advanced Mode, click on "DNSSEC" tab, and review the "Signature Validity" setting.
3. Validate that the Signature Validity is configured for a range of no less than two days and no more than one week.
4. When complete, click "Cancel" to exit the "Properties" screen.

If the Signature Validity period is less than two days or greater than one week, this is a finding.

Vulnerability Number

V-233910

Documentable

False

Rule Version

IDNS-8X-700005

Severity Override Guidance

Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable.

1. Navigate to Data Management >> DNS >> Grid DNS properties.
2. Toggle Advanced Mode, click on "DNSSEC" tab, and review the "Signature Validity" setting.
3. Validate that the Signature Validity is configured for a range of no less than two days and no more than one week.
4. When complete, click "Cancel" to exit the "Properties" screen.

If the Signature Validity period is less than two days or greater than one week, this is a finding.

Check Content Reference

M

Target Key

5251

Comments