STIGQter: STIG Summary: Domain Name System (DNS) Security Requirements Guide Version: 2 Release: 4 Benchmark Date: 23 Oct 2015: STIGQter: STIG Summary: Domain Name System (DNS) Security Requirements Guide Version: 2 Release: 4 Benchmark Date: 23 Oct 2015:SV-69069r1_rule
V-54823
SRG-APP-000215-DNS-000026
SRG-APP-000215-DNS-000026
CAT II
10
Configure a recursive, caching only server with the ability to perform DNSSEC validation.
Configure an authoritative name server to sign all zones and to update the entire chain of trust with the signature.
If the system being reviewed is an authoritative server, it must be able to provide records that can be authenticated (DS, RRSIG, etc.).
Compare the child zone's hash stored in the child's DS RR to the hash for the child's zone in the parent's zone information. Verify it is the same hash.
If the hashes do not match, or the child zone is not digitally signed, this is a finding.
If the system is a recursive server, it must be able to pass DNSSEC data and perform DNSSEC validation.
If DNSSEC validation capability is not enabled on a recursive DNS server, this is a finding.
If the hash for child domains is not reflected in the parent zone and the chain of trust is not verifiable, this is a finding.
V-54823
False
SRG-APP-000215-DNS-000026
If the system being reviewed is an authoritative server, it must be able to provide records that can be authenticated (DS, RRSIG, etc.).
Compare the child zone's hash stored in the child's DS RR to the hash for the child's zone in the parent's zone information. Verify it is the same hash.
If the hashes do not match, or the child zone is not digitally signed, this is a finding.
If the system is a recursive server, it must be able to pass DNSSEC data and perform DNSSEC validation.
If DNSSEC validation capability is not enabled on a recursive DNS server, this is a finding.
If the hash for child domains is not reflected in the parent zone and the chain of trust is not verifiable, this is a finding.
M
2355