STIGQter STIGQter: STIG Summary: Infoblox 7.x DNS Security Technical Implementation Guide Version: 1 Release: 8 Benchmark Date: 25 Oct 2019: A DNS server implementation must provide the means to indicate the security status of child zones.

DISA Rule

SV-83023r3_rule

Vulnerability Number

V-68533

Group Title

SRG-APP-000214-DNS-000025

Rule Version

IDNS-7X-000220

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Navigate to Data Management >> DNS >> Zones tab.

Select the parent zone, and use the DNSSEC drop-down menu to select "Import Keyset".
Add the child zone DS RRs and select "Import".

Check Contents

Note: For Infoblox DNS systems on a Classified network, this requirement is Not Applicable.

Infoblox systems within a Grid configuration automatically publish DS records to the parent zone when the child zone is signed.

If all name servers for parent and child zones are within an Infoblox Grid, this is not a finding.

Review the parent zones hosted on the Infoblox server for which the child zone is NOTE on the same Infoblox Grid. Each zone must include the Delegation Signer (DS) records for the child zone.

If DS records are not published in the parent zone for DNSSEC signed child zones, this is a finding.

Vulnerability Number

V-68533

Documentable

False

Rule Version

IDNS-7X-000220

Severity Override Guidance

Note: For Infoblox DNS systems on a Classified network, this requirement is Not Applicable.

Infoblox systems within a Grid configuration automatically publish DS records to the parent zone when the child zone is signed.

If all name servers for parent and child zones are within an Infoblox Grid, this is not a finding.

Review the parent zones hosted on the Infoblox server for which the child zone is NOTE on the same Infoblox Grid. Each zone must include the Delegation Signer (DS) records for the child zone.

If DS records are not published in the parent zone for DNSSEC signed child zones, this is a finding.

Check Content Reference

M

Target Key

2995

Comments