The DNS implementation must validate DNS keys used for PKI-based authentication against an accepted trust anchor.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-34115	SRG-NET-000164-DNS-000103	SV-44568r1_rule		Medium

Description
A trust anchor is an authoritative entity represented via a public key and associated data. It is used in the context of public key infrastructures, and Domain Name System Security Extensions (DNSSEC). When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor. With DNS it can be, for example, the root name server for the .mil domain. The trust anchor covers secure sub zones of the root server (example.mil) which in turn would cover sub zones delegated from it (sub.example.mil). Name servers that are not ""secure"" can operate within a secure domain but will receive no benefit until they have been made secure. In DNS, a validating resolver uses the DNSKEY to cryptographically validate the results for a given request back to a known public key (the trust anchor). DNS authentication and integrity checking methods rely on the chain of trust anchor to avoid unauthorized access to the DNS records and infrastructure. Without path validation, there can be no trust that the data integrity has been maintained during a transaction.

Description

A trust anchor is an authoritative entity represented via a public key and associated data. It is used in the context of public key infrastructures, and Domain Name System Security Extensions (DNSSEC). When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor. With DNS it can be, for example, the root name server for the .mil domain. The trust anchor covers secure sub zones of the root server (example.mil) which in turn would cover sub zones delegated from it (sub.example.mil). Name servers that are not ""secure"" can operate within a secure domain but will receive no benefit until they have been made secure. In DNS, a validating resolver uses the DNSKEY to cryptographically validate the results for a given request back to a known public key (the trust anchor). DNS authentication and integrity checking methods rely on the chain of trust anchor to avoid unauthorized access to the DNS records and infrastructure. Without path validation, there can be no trust that the data integrity has been maintained during a transaction.

STIG	Date
Domain Name System (DNS) Security Requirements Guide	2012-10-24

Details

Check Text ( C-42075r1_chk )
Review the DNS server configuration to verify the DNS keys have a valid path to an accepted trust anchor. If DNS keys are not being validated back to a trust anchor, this is a finding.

Fix Text (F-38025r1_fix)
Configure the DNS server to utilize DNS keys and a chain of trust for all user based PKI implementations.