Title

The validity period for the Resource Record Signatures (RRSIGs) covering the Delegation Signer (DS) RR for a zone's delegated children must be no less than two days and no more than one week. (Cat II impact)

Discussion

The best way for a zone administrator to minimize the impact of a key compromise is by limiting the validity period of RRSIGs in the zone and in the parent zone. This strategy limits the time during which an attacker can take advantage of a compromised key to forge responses. An attacker that has compromised a Zone Signing Key (ZSK) can use that key only during the Key Signing Key's (KSK's) signature validity interval. An attacker that has compromised a KSK can use that key for only as long as the signature interval of the RRSIG covering the DS RR in the delegating parent. These validity periods should be short, which will require frequent re-signing. To prevent the impact of a compromised KSK, a delegating parent should set the signature validity period for RRSIGs covering DS RRs in the range of a few days to one week. This re-signing does not require frequent rollover of the parent's ZSK, but scheduled ZSK rollover should still be performed at regular intervals.

Check Content

Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable. 1. Navigate to Data Management >> DNS >> Grid DNS properties. 2. Toggle Advanced Mode, click on "DNSSEC" tab, and review the "Signature Validity" setting. 3. Validate that the Signature Validity is configured for a range of no less than two days and no more than one week. 4. When complete, click "Cancel" to exit the "Properties" screen. If the Signature Validity period is less than two days or greater than one week, this is a finding.

Fix Text

1. Navigate to Data Management >> DNS >> Grid DNS properties. 2. Toggle Advanced Mode, click on "DNSSEC" tab, and edit the "Signature Validity" setting to a period between two days and one week. 3. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 4. Any zones that used an incorrect value should perform a ZSK rollover to update the inception and expiration dates with the new value. 5. Navigate to Data Management >> DNS and select the "Zones" tab. 6. Using the zone selection check boxes and the DNSSEC drop-down menu, select "Rollover Zone-Signing Key". 7. When prompted, select "Roll Over". 8. Perform a service restart if necessary.

Additional Identifiers

Rule ID: SV-233910r621666_rule

Vulnerability ID: V-233910

Group Title: SRG-APP-000214-DNS-000079

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.