Title

DNSSEC is not enabled for verifying signed files between names servers with DNSSEC capabilities. (Cat II impact)

Discussion

A powerful feature of DNSSEC is the ability to sign record sets to ensure their integrity and authenticity throughout the DNS infrastructure and not just between the authoritative name server and its zone partner or local client. The advantages of this feature become apparent when DoD users wish to securely validate records from other organizations, including commercial vendors, business partners, and other Government agencies.

Check Content

This rule is only applicable to DNS servers using DNSSEC. If DNSSEC is not enabled, then this is N/A. BIND • Instruction: Ask the DNS administrator for the directory location containing the named.conf file. Check for the following options: options { dnssec-validation yes; }; If this option is missing and the BIND version is 9.5 or greater, this is the default and is not a finding. If no secure zones are defined using DNSSEC validation, then no zone signing keys need exist and the server will support only unsecured zones whether or not the dnssec-validation option is specified. If secure zones are defined using DNSSEC, then if the dnssec-validation option is set to no or the BIND version is less than 9.5 and the dnssec-validation option is not in the named.conf file, then this is a finding. Verify that key-pairs for signing exist for each zone, which will support DNSSEC validation.

Fix Text

Ensure that the version of BIND is 9.3.1 or higher with DNSSEC support. If the version is less than 9.5, then add the following entry to named.conf. options { dnssec-validation yes; }; Define the zones which will use DNSSEC and create the corresponding key-pairs.

Additional Identifiers

Rule ID: SV-50954r1_rule

Vulnerability ID: V-39138

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.