The DNS server implementation must validate the integrity of transmitted security attributes.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-APP-000204-DNS-000023	SRG-APP-000204-DNS-000023	SRG-APP-000204-DNS-000023_rule		Medium

Description
Security attributes are values associated with data content/structure and source/destination objects. These attributes are bound to the user and data objects and may include information about the data's purpose, creator, origin, access restrictions, access permissions, or classification. Specific security attributes used depend on the application or technology context. However, these attributes are used in information systems to implement security policy for access control and flow control for users, data, and traffic. Security attributes may be explicitly or implicitly associated with the information contained within the information system. If security attributes are not associated with the information being transmitted between components, then access control policies and information flows which depend on these security attributes will not function and unauthorized access may result. When data is exchanged, the security attributes associated with this data must be validated to ensure the data has not been changed. The digital signatures used by TSIG/SIG(0) are transmitted security attributes. These signatures must be validated by the receiving server. DNSSEC signatures are validated by the DNS client, not the DNS server.

Description

Security attributes are values associated with data content/structure and source/destination objects. These attributes are bound to the user and data objects and may include information about the data's purpose, creator, origin, access restrictions, access permissions, or classification. Specific security attributes used depend on the application or technology context. However, these attributes are used in information systems to implement security policy for access control and flow control for users, data, and traffic. Security attributes may be explicitly or implicitly associated with the information contained within the information system. If security attributes are not associated with the information being transmitted between components, then access control policies and information flows which depend on these security attributes will not function and unauthorized access may result. When data is exchanged, the security attributes associated with this data must be validated to ensure the data has not been changed. The digital signatures used by TSIG/SIG(0) are transmitted security attributes. These signatures must be validated by the receiving server. DNSSEC signatures are validated by the DNS client, not the DNS server.

STIG	Date
Domain Name System (DNS) Security Requirements Guide	2014-07-11

Details

Check Text ( C-SRG-APP-000204-DNS-000023_chk )
Review the DNS server implementation to determine if integrity is maintained for transmitted security attributes through the use of TSIG and DNSSEC. If integrity is not maintained, this is a finding. Full compliance to this requirement is dependent on the DoD wide deployment of DNSSEC. Until full deployment is realized and DNSSEC is enabled this requirement can be considered fulfilled by the use of TSIG alone. If the DNS server does not validate their integrity, this is a finding.

Check Text ( C-SRG-APP-000204-DNS-000023_chk )

Review the DNS server implementation to determine if integrity is maintained for transmitted security attributes through the use of TSIG and DNSSEC. If integrity is not maintained, this is a finding.
Full compliance to this requirement is dependent on the DoD wide deployment of DNSSEC. Until full deployment is realized and DNSSEC is enabled this requirement can be considered fulfilled by the use of TSIG alone.

If the DNS server does not validate their integrity, this is a finding.

Fix Text (F-SRG-APP-000204-DNS-000023_fix)
Configure the DNS server to validate the integrity of transmitted security attributes.