UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The private key corresponding to the zone signing key (ZSK) must only be stored on the name server that does support dynamic updates.


Overview

Finding ID Version Rule ID IA Controls Severity
V-259370 WDNS-22-000042 SV-259370r961041_rule Medium
Description
The private keys in the key signing key (KSK) and ZSK key pairs must be protected from unauthorized access. If possible, the private keys should be stored offline (with respect to the internet-facing, DNSSEC-aware name server) in a physically secure, non-network-accessible machine along with the zone file primary copy. This strategy is not feasible in situations in which the DNSSEC-aware name server must support dynamic updates. To support dynamic update transactions, the DNSSEC-aware name server (which usually is a primary authoritative name server) must have both the zone file master copy and the private key corresponding to the zone signing key (ZSK-private) online to immediately update the signatures for the updated resource record (RR) sets. The private key corresponding to the key signing key (KSK-private) can still be kept offline.
STIG Date
Microsoft Windows Server Domain Name System (DNS) Security Technical Implementation Guide 2024-06-14

Details

Check Text ( C-63109r945279_chk )
Note: This check is not applicable for Windows DNS Servers that host only Active Directory (AD)-integrated zones or for Windows DNS Servers on a classified network.

Note: This requirement is not applicable to servers with only a caching role.

For AD-integrated zones, private zone signing keys replicate automatically to all primary DNS servers through AD replication. Each authoritative server signs its own copy of the zone when it receives the key. For optimal performance, and to prevent increasing the size of the AD database file, the signed copy of the zone remains in memory for AD-integrated zones. A DNSSEC-signed zone is only committed to disk for file-backed zones. Secondary DNS servers pull a full copy of the zone, including signatures, from the primary DNS server.

If all DNS servers are AD integrated, this check is not applicable.

If a DNS server is not AD integrated and has file-backed zones, does not accept dynamic updates, and has a copy of the private key corresponding to the ZSK, this is a finding.
Fix Text (F-63017r939814_fix)
Ensure the private key corresponding to the ZSK is only stored on the name server accepting dynamic updates.