DNSSEC is not enabled for signing files between names servers with DNSSEC capabilities.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-14767	DNS4710	SV-15524r2_rule	ECSC-1	Medium

Description
A powerful feature of DNSSEC is the ability to sign record sets to ensure their integrity and authenticity throughout the DNS infrastructure and not just between the authoritative name server and its zone partner or local client. The advantages of this feature become apparent when DoD users wish to securely validate records from other organizations, including commercial vendors, business partners, and other Government agencies.

Description

A powerful feature of DNSSEC is the ability to sign record sets to ensure their integrity and authenticity throughout the DNS infrastructure and not just between the authoritative name server and its zone partner or local client. The advantages of this feature become apparent when DoD users wish to securely validate records from other organizations, including commercial vendors, business partners, and other Government agencies.

STIG	Date
BIND DNS	2013-01-10

Details

Check Text ( C-43787r1_chk )
This rule is only applicable to DNS servers using DNSSEC. If DNSSEC is not enabled, then this is N/A. BIND • Instruction: Ask the DNS administrator for the directory location containing named.conf file Check for the following option: options { dnssec-enable yes; }; If the option is set to no or not in the named.conf file, then this is a finding.

Fix Text (F-14243r1_fix)
Ensure BIND 9.3.1. is installed with DNSSEC support. Add the following entry to named.conf. options { dnssec-enable yes; };