The DNS implementation must protect against an individual falsely denying having performed a particular action.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-34050	SRG-NET-000108-DNS-000060	SV-44503r1_rule		Medium

Description
When non-repudiation techniques are not employed, high assurance that an individual performed a specific action cannot be guaranteed and the individual can falsely deny having performed such action and, therefore, be held unaccountable. Non-repudiation protects individuals against later claims by an author of not having authored a particular document, a sender of not having transmitted a message, a receiver of not having received a message, or a signatory of not having signed a document. In the context of DNS non-repudiation is provided by implementation of DNS TSIG which provides signing of DNS messages and DNSSEC which provides validation of the source of query responses.

Description

When non-repudiation techniques are not employed, high assurance that an individual performed a specific action cannot be guaranteed and the individual can falsely deny having performed such action and, therefore, be held unaccountable. Non-repudiation protects individuals against later claims by an author of not having authored a particular document, a sender of not having transmitted a message, a receiver of not having received a message, or a signatory of not having signed a document. In the context of DNS non-repudiation is provided by implementation of DNS TSIG which provides signing of DNS messages and DNSSEC which provides validation of the source of query responses.

STIG	Date
Domain Name System (DNS) Security Requirements Guide	2012-10-24

Details

Check Text ( C-42017r1_chk )
Review the DNS system configuration to determine if non-repudiation techniques through the use of TSIG and DNSSEC authentication and integrity are employed. If non-repudiation techniques are not implemented, this is a finding. In this case, non-repudiation is enforced against the server in question, and not an individual. Individual non-repudiation would have to be maintained through, for example, audit logs and CAC authentication to make changes to zone files.

Check Text ( C-42017r1_chk )

Review the DNS system configuration to determine if non-repudiation techniques through the use of TSIG and DNSSEC authentication and integrity are employed.

If non-repudiation techniques are not implemented, this is a finding.

In this case, non-repudiation is enforced against the server in question, and not an individual. Individual non-repudiation would have to be maintained through, for example, audit logs and CAC authentication to make changes to zone files.

Fix Text (F-37965r1_fix)
Configure the DNS system to utilize TSIG and DNSSEC to verify the authenticity and integrity of the messages. Again, this will only ensure no one can deny that a particular Resource Record (RR) came from a particular server - individuals would still be able to refute their involvement.