UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The DNS implementation, as the distributed, hierarchical namespace, must provide the means to indicate the security status of child domains and enable verification of a chain of trust among parent and child domains.


Overview

Finding ID Version Rule ID IA Controls Severity
V-34258 SRG-NET-000301-DNS-000162 SV-44737r1_rule Low
Description
In DNS, trust in the public key of the source is established by starting from a trusted name server and establishing the chain of trust down to the current source of response through successive verifications of signature of the public key of a child by its parent. A trust anchor is an authoritative entity represented via a public key and associated data. It is used in the context of public key infrastructures, X.509 digital certificates, and Domain Name System Security Extensions (DNSSEC). When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor. A certification path starts with the subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate. In DNS, a trust anchor is a DNSKEY that is placed into a validating resolver so the validator can cryptographically validate the results for a given request back to a known public key (the trust anchor). An example means to indicate the security status of child subspaces is through the use of delegation signer (DS) resource records in the DNS. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate not already explicitly trusted. Without path validation and a chain of trust, there can be no trust that the data integrity authenticity has been maintained during a transaction.
STIG Date
Domain Name System (DNS) Security Requirements Guide 2012-10-24

Details

Check Text ( C-42242r1_chk )
Review the DNS implementation and configuration to determine if a chain of trust exists between the parent and child domains. If there is no chain of trust, this is a finding.
Fix Text (F-38189r1_fix)
Ensure the DNS implementation provides the means to enable verification of a chain of trust among parent and child domains (if the child supports secure resolution services).