Title

Zones are delegated with the CSS DNS. (Cat III impact)

Discussion

Although it is technically possible to delegate zones within CSS DNS, there is almost never a rationale to do so because such delegation could be achieved as easily with BIND, which offers security features not present in CSS DNS. Moreover, the performance enhancing features of CSS typically would not apply to name server records because these records are obtained easily and quickly across the wide area without significant impact on a users experience

Check Content

In the presence of the reviewer, the CSS DNS administrator should enter the following command while in global configuration mode: show dns-record statistics There should be no DNS record types of NS. If there are NS records, then this is a finding.

Fix Text

The CSS DNS administrator should remove any NS records with the following command while in global configuration mode; no dns-record ns domain_name.

Additional Identifiers

Rule ID: SV-4508r1_rule

Vulnerability ID: V-4508

Group Title: Zones are delegated with the CSS DNS.

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.