The DNS implementation must prevent access to organization defined security-relevant information except during secure non-operable system states.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-34247	SRG-NET-000279-DNS-000158	SV-44726r1_rule		Medium

Description
Security-relevant information is any information within the information system that can potentially impact the operation of security functions in a manner possibly resulting in failure to enforce the system security policy or maintain isolation of code and data. Organizations may define specific security relevant information requiring protection, however, cryptographic key management information, key configuration parameters for security services, and access control lists are examples of security relevant information relevant to DNS. Secure, non-operable system states are states in which the information system is not performing mission/business-related processing (e.g., the system is off-line for maintenance, troubleshooting, boot-up, shutdown). Access to these types of data is to be prevented unless the system is in a maintenance mode or has otherwise been brought off-line. The goal is to minimize the potential a security configuration or data may be dynamically and perhaps, surreptitiously overwritten or changed (without going through a formal system change process that can document the changes). Access to this type of security information could potentially degrade the security of the authentication and confidentiality of the DNS data and processes.

Description

Security-relevant information is any information within the information system that can potentially impact the operation of security functions in a manner possibly resulting in failure to enforce the system security policy or maintain isolation of code and data. Organizations may define specific security relevant information requiring protection, however, cryptographic key management information, key configuration parameters for security services, and access control lists are examples of security relevant information relevant to DNS. Secure, non-operable system states are states in which the information system is not performing mission/business-related processing (e.g., the system is off-line for maintenance, troubleshooting, boot-up, shutdown). Access to these types of data is to be prevented unless the system is in a maintenance mode or has otherwise been brought off-line. The goal is to minimize the potential a security configuration or data may be dynamically and perhaps, surreptitiously overwritten or changed (without going through a formal system change process that can document the changes). Access to this type of security information could potentially degrade the security of the authentication and confidentiality of the DNS data and processes.

STIG	Date
Domain Name System (DNS) Security Requirements Guide	2012-10-24

Details

Check Text ( C-42231r1_chk )
Review the DNS system configuration to determine if cryptographic key information and/or key configuration parameters for security services are accessible during operable system states. If these services are available during operable states, this is a finding.

Fix Text (F-38178r1_fix)
Configure the DNS system to secure cryptographic key information and key configuration parameters and services during operable system states.