UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The DNS implementation must validate DNS keys used for PKI-based authentication against an accepted trust anchor.


Overview

Finding ID Version Rule ID IA Controls Severity
V-34115 SRG-NET-000164-DNS-000103 SV-44568r1_rule Medium
Description
A trust anchor is an authoritative entity represented via a public key and associated data. It is used in the context of public key infrastructures, and Domain Name System Security Extensions (DNSSEC). When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor. With DNS it can be, for example, the root name server for the .mil domain. The trust anchor covers secure sub zones of the root server (example.mil) which in turn would cover sub zones delegated from it (sub.example.mil). Name servers that are not ""secure"" can operate within a secure domain but will receive no benefit until they have been made secure. In DNS, a validating resolver uses the DNSKEY to cryptographically validate the results for a given request back to a known public key (the trust anchor). DNS authentication and integrity checking methods rely on the chain of trust anchor to avoid unauthorized access to the DNS records and infrastructure. Without path validation, there can be no trust that the data integrity has been maintained during a transaction.
STIG Date
Domain Name System (DNS) Security Requirements Guide 2012-10-24

Details

Check Text ( C-42075r1_chk )
Review the DNS server configuration to verify the DNS keys have a valid path to an accepted trust anchor. If DNS keys are not being validated back to a trust anchor, this is a finding.
Fix Text (F-38025r1_fix)
Configure the DNS server to utilize DNS keys and a chain of trust for all user based PKI implementations.