The DNS implementation, as the distributed, hierarchical namespace, must provide the means to indicate the security status of child domains and enable verification of a chain of trust among parent and child domains.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-34257	SRG-NET-000300-DNS-000161	SV-44736r1_rule		Low

Description
DNSSEC provides the means to verify integrity assurances for the host/service name to network address resolution information obtained through the service. By using the delegation signer (DS) resource records in the DNS, the security status of a child domain can be validated. The DS resource record is used to identify the DNSSEC signing key of a delegated zone. Starting from a trusted name server (such as the root name server) and establishing the chain of trust down to the current source of response through successive verifications of signature of the public key of a child by its parent. The public key of the trusted name servers is called the trust anchor. After authenticating the source, the next process DNSSEC calls for is to authenticate the response. This requires that responses consist of not only the requested RRs but also an authenticator associated with them. In DNSSEC, this authenticator is the digital signature of a Resource Record (RR) Set. The digital signature of an RRSet is encapsulated through a special RRType called RRSIG. The DNS client using the trusted public key of the source (whose trust has just been established) then verifies the digital signature to detect if the response is valid or bogus. This control enables the DNS to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Without indication of the security status of a child domain, and enabling verification of a chain of trust, integrity and availability of the DNS infrastructure cannot be assured.

Description

DNSSEC provides the means to verify integrity assurances for the host/service name to network address resolution information obtained through the service. By using the delegation signer (DS) resource records in the DNS, the security status of a child domain can be validated. The DS resource record is used to identify the DNSSEC signing key of a delegated zone. Starting from a trusted name server (such as the root name server) and establishing the chain of trust down to the current source of response through successive verifications of signature of the public key of a child by its parent. The public key of the trusted name servers is called the trust anchor. After authenticating the source, the next process DNSSEC calls for is to authenticate the response. This requires that responses consist of not only the requested RRs but also an authenticator associated with them. In DNSSEC, this authenticator is the digital signature of a Resource Record (RR) Set. The digital signature of an RRSet is encapsulated through a special RRType called RRSIG. The DNS client using the trusted public key of the source (whose trust has just been established) then verifies the digital signature to detect if the response is valid or bogus. This control enables the DNS to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Without indication of the security status of a child domain, and enabling verification of a chain of trust, integrity and availability of the DNS infrastructure cannot be assured.

STIG	Date
Domain Name System (DNS) Security Requirements Guide	2012-10-24

Details

Check Text ( C-42241r1_chk )
Review the DNS implementation and configuration to determine if DNSSEC is enabled. If it is enabled the DNS implementation must be able to indicate the security status of child domains and enable verification of a chain of trust among parent and child domains. Compliance to this requirement depends on the type of server being checked. If the system being reviewed is an authoritative server, it must be able to provide authenticable records (DS, RRSIG, etc.). If the system is a recursive server, it must be able to pass DNSSEC data and perform DNSSEC validation. If DNSSEC is enabled and the security status of child domains is not indicated or the chain of trust is not verifiable, this is a finding.

Check Text ( C-42241r1_chk )

Review the DNS implementation and configuration to determine if DNSSEC is enabled. If it is enabled the DNS implementation must be able to indicate the security status of child domains and enable verification of a chain of trust among parent and child domains. Compliance to this requirement depends on the type of server being checked.

If the system being reviewed is an authoritative server, it must be able to provide authenticable records (DS, RRSIG, etc.).

If the system is a recursive server, it must be able to pass DNSSEC data and perform DNSSEC validation.

If DNSSEC is enabled and the security status of child domains is not indicated or the chain of trust is not verifiable, this is a finding.

Fix Text (F-38188r1_fix)
Configure the DNS implementation to provide the means to indicate the security status of child subspaces and (if the child supports secure resolution services) enable verification of a chain of trust among parent and child domains.