The validity period for the RRSIGs covering the DS RR for zones delegated children must be no less than two days and no more than one week.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-68535 | IDNS-7X-000230 | SV-83025r2_rule | Medium |
| Description |
|---|
| The best way for a zone administrator to minimize the impact of a key compromise is by limiting the validity period of RRSIGs in the zone and in the parent zone. This strategy limits the time during which an attacker can take advantage of a compromised key to forge responses. An attacker that has compromised a ZSK can use that key only during the KSK's signature validity interval. An attacker that has compromised a KSK can use that key for only as long as the signature interval of the RRSIG covering the DS RR in the delegating parent. These validity periods should be short, which will require frequent re-signing. To prevent the impact of a compromised KSK, a delegating parent should set the signature validity period for RRSIGs covering DS RRs in the range of a few days to 1 week. This re-signing does not require frequent rollover of the parent's ZSK, but scheduled ZSK rollover should still be performed at regular intervals. |
| STIG | Date |
|---|---|
| Infoblox 7.x DNS Security Technical Implementation Guide | 2017-04-05 |
Details
| Check Text ( C-69069r2_chk ) |
|---|
| Navigate to Data Management >> DNS >> Grid DNS properties. Toggle Advanced Mode and click on "DNSSEC" tab. Validate the Key-Signing Key (KSK) “Signature Validity” is configured to a value between “2” and “7” days; otherwise this is a finding. |
| Fix Text (F-74653r2_fix) |
|---|
| Navigate to Data Management >> DNS >> Grid DNS Properties. Toggle Advanced Mode and select the "DNSSEC" tab. Modify the KSK "Signature Validity" to a period between "2" and "7" days. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. Perform a service restart if necessary. |