UCF STIG Viewer Logo

The Infoblox DNS server must implement NIST FIPS-validated cryptography for provisioning digital signatures, generating cryptographic hashes, and protecting unclassified information requiring confidentiality.


Overview

Finding ID Version Rule ID IA Controls Severity
V-233906 IDNS-8X-700001 SV-233906r621666_rule High
Description
Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The application must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.
STIG Date
Infoblox 8.x DNS Security Technical Implementation Guide 2021-01-11

Details

Check Text ( C-37091r611238_chk )
Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable.

Note: For Infoblox Grids that run in FIPS mode, this requirement is Not Applicable. Refer to the Administrator Guide for more information on FIPS Mode.

1. Navigate to Data Management >> DNS >> Grid DNS properties.
2. Toggle Advanced Mode and click on the "DNSSEC" tab.
3. Validate that all Key Signing Keys (KSKs) and Zone Signing Keys (ZSKs) use FIPS-approved algorithms.
4. When complete, click "Cancel" to exit the "Properties" screen.

If non-FIPS-approved algorithms are in use, this is a finding.
Fix Text (F-37056r611239_fix)
Note: Ensure DNSSEC is configured to meet all other STIG requirements prior to signing a zone to avoid signing with an unapproved configuration.

1. Navigate to Data Management >> DNS >> Grid DNS properties.
2. Toggle Advanced Mode and click on the "DNSSEC" tab.
3. Configure FIPS-compliant algorithms.
4. Follow manual key rollover procedures and update all non-compliant KSKs and ZSKs to use FIPS-approved algorithms.