Zones are delegated with the CSS DNS.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-4508	DNS0910	SV-4508r1_rule	ECSC-1	Low

Description
Although it is technically possible to delegate zones within CSS DNS, there is almost never a rationale to do so because such delegation could be achieved as easily with BIND, which offers security features not present in CSS DNS. Moreover, the performance enhancing features of CSS typically would not apply to name server records because these records are obtained easily and quickly across the wide area without significant impact on a users experience

Description

Although it is technically possible to delegate zones within CSS DNS, there is almost never a rationale to do so because such delegation could be achieved as easily with BIND, which offers security features not present in CSS DNS. Moreover, the performance enhancing features of CSS typically would not apply to name server records because these records are obtained easily and quickly across the wide area without significant impact on a users experience

STIG	Date
CISCO CSS DNS	2013-07-08

Details

Check Text ( C-3416r1_chk )
In the presence of the reviewer, the CSS DNS administrator should enter the following command while in global configuration mode: show dns-record statistics There should be no DNS record types of NS. If there are NS records, then this is a finding.

Fix Text (F-4393r1_fix)
The CSS DNS administrator should remove any NS records with the following command while in global configuration mode; no dns-record ns domain_name.