The DNS implementation must protect against an individual falsely denying having performed a particular action.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-34050 | SRG-NET-000108-DNS-000060 | SV-44503r1_rule | Medium |
| Description |
|---|
| When non-repudiation techniques are not employed, high assurance that an individual performed a specific action cannot be guaranteed and the individual can falsely deny having performed such action and, therefore, be held unaccountable. Non-repudiation protects individuals against later claims by an author of not having authored a particular document, a sender of not having transmitted a message, a receiver of not having received a message, or a signatory of not having signed a document. In the context of DNS non-repudiation is provided by implementation of DNS TSIG which provides signing of DNS messages and DNSSEC which provides validation of the source of query responses. |
| STIG | Date |
|---|---|
| Domain Name System (DNS) Security Requirements Guide | 2012-10-24 |
Details
| Check Text ( C-42017r1_chk ) |
|---|
| Review the DNS system configuration to determine if non-repudiation techniques through the use of TSIG and DNSSEC authentication and integrity are employed. If non-repudiation techniques are not implemented, this is a finding. In this case, non-repudiation is enforced against the server in question, and not an individual. Individual non-repudiation would have to be maintained through, for example, audit logs and CAC authentication to make changes to zone files. |
| Fix Text (F-37965r1_fix) |
|---|
| Configure the DNS system to utilize TSIG and DNSSEC to verify the authenticity and integrity of the messages. Again, this will only ensure no one can deny that a particular Resource Record (RR) came from a particular server - individuals would still be able to refute their involvement. |