UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Windows 2008 DNS Server must implement a local cache of revocation data for PKI authentication in the event revocation information via the network is not accessible.


Overview

Finding ID Version Rule ID IA Controls Severity
V-58649 WDNS-IA-000011 SV-83241r1_rule Medium
Description
Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer authorized (users with revoked certificates). SIG(0) is used for server-to-server authentication for DNS transactions, and it uses PKI-based authentication. So, in cases where SIG(0) is being used instead of TSIG (which uses a shared key, not PKI-based authentication), this requirement is applicable.
STIG Date
Microsoft Windows 2008 Server Domain Name System Security Technical Implementation Guide 2017-01-04

Details

Check Text ( C-59521r2_chk )
Consult with the SA to determine if there is a third-party CRL server being used for certificate revocation lookup.

If there is, verify if a documented procedure is in place to store a copy of the CRL locally (local to the site, as an alternative to querying the actual Certificate Authorities). An example would be an OCSP responder installed at the local site.

If there is no local cache of revocation data, this is a finding.
Fix Text (F-64033r3_fix)
Configure local revocation data to be used in the event access to Certificate Authorities is hindered.