STIGQter: STIG Summary: Domain Name System (DNS) Security Requirements Guide Version: 2 Release: 4 Benchmark Date: 23 Oct 2015:

The private key corresponding to the ZSK, stored on name servers accepting dynamic updates, must have appropriate directory/file-level access control list-based or cryptography-based protections.

DISA Rule

SV-69205r1_rule

Vulnerability Number

V-54959

Group Title

SRG-APP-000516-DNS-000111

Rule Version

SRG-APP-000516-DNS-000111

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Apply permissions to the private key corresponding to the ZSK alone with read/modify permissions for the account under which the name server software is run.

Check Contents

Review the DNS name server and documentation to determine whether it accepts dynamic updates. If dynamic updates are accepted, ensure the private key corresponding to the ZSK alone is protected with directory/file-level access control list-based or cryptography-based protections.

If the private key corresponding to the ZSK alone is not protected with directory/file-level access control list-based or cryptography-based protections, this is a finding.

Vulnerability Number

V-54959

Documentable

False

Rule Version

SRG-APP-000516-DNS-000111

Severity Override Guidance

Review the DNS name server and documentation to determine whether it accepts dynamic updates. If dynamic updates are accepted, ensure the private key corresponding to the ZSK alone is protected with directory/file-level access control list-based or cryptography-based protections.

If the private key corresponding to the ZSK alone is not protected with directory/file-level access control list-based or cryptography-based protections, this is a finding.

Check Content Reference

M

Target Key

2355

Comments