STIGQter: STIG Summary: Domain Name System (DNS) Security Requirements Guide Version: 2 Release: 4 Benchmark Date: 23 Oct 2015:

If the DNS server is using SIG(0), the DNS server implementation must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected transactions.

DISA Rule

SV-69133r1_rule

Vulnerability Number

V-54887

Group Title

SRG-APP-000427-DNS-000060

Rule Version

SRG-APP-000427-DNS-000060

Severity

CAT II

CCI(s)

• CCI-002470 - The information system only allows the use of organization-defined certificate authorities for verification of the establishment of protected sessions.

Weight

10

Fix Recommendation

Configure the DNS server to only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected transactions.

Check Contents

If the DNS server is using SIG(0), review the DNS server implementation configuration to determine if the DNS server only allows the use of DoD PKI-established certificate authorities for verification of the establishment of protected transactions. If the DNS server allows the use of other certificate authorities, this is a finding.

Vulnerability Number

V-54887

Documentable

False

Rule Version

SRG-APP-000427-DNS-000060

Severity Override Guidance

If the DNS server is using SIG(0), review the DNS server implementation configuration to determine if the DNS server only allows the use of DoD PKI-established certificate authorities for verification of the establishment of protected transactions. If the DNS server allows the use of other certificate authorities, this is a finding.

Check Content Reference

M

Target Key

2355

Comments