UCF STIG Viewer Logo

DNSSEC is not enabled for signing files between names servers with DNSSEC capabilities.


Overview

Finding ID Version Rule ID IA Controls Severity
V-14767 DNS4710 SV-15524r3_rule ECSC-1 Medium
Description
A powerful feature of DNSSEC is the ability to sign record sets to ensure their integrity and authenticity throughout the DNS infrastructure and not just between the authoritative name server and its zone partner or local client. The advantages of this feature become apparent when DoD users wish to securely validate records from other organizations, including commercial vendors, business partners, and other Government agencies.
STIG Date
BIND DNS STIG 2015-10-01

Details

Check Text ( C-46503r2_chk )
This rule is only applicable to DNS servers using DNSSEC.
If DNSSEC is not enabled, then this is N/A.

BIND
• Instruction: Ask the DNS administrator for the directory location containing the named.conf file.

Check for the following options:

options
{
dnssec-enable yes;
};

If this option is missing and the BIND version is 9.5 or greater, this is the default and is not a finding.

If the dnssec-enable option is set to no or the BIND version is less than 9.5 and the dnssec-enable option is not in the named.conf file, then this is a finding.
Fix Text (F-44114r2_fix)
Ensure that the version of BIND is 9.3.1 or higher with DNSSEC support. If the version is less than 9.5, then add the following entry to named.conf.

options
{
dnssec-enable yes;
};