The DNS server implementation must utilize NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-APP-000416-DNS-000052	SRG-APP-000416-DNS-000052	SRG-APP-000416-DNS-000052_rule		Medium

Description
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The application must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. TSIG/SIG(0) and DNSSEC should be implemented using NSA-approved cryptography for DNS servers on classified networks.

Description

Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The application must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. TSIG/SIG(0) and DNSSEC should be implemented using NSA-approved cryptography for DNS servers on classified networks.

STIG	Date
Domain Name System (DNS) Security Requirements Guide	2014-07-11

Details

Check Text ( C-SRG-APP-000416-DNS-000052_chk )
Review the DNS server implementation configuration to determine if the DNS server utilizes NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. If the DNS server does not utilize NSA-approved cryptography to protect classified information, this is a finding.

Fix Text (F-SRG-APP-000416-DNS-000052_fix)
Configure the DNS server to utilize NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.