NSEC3 must be used for all DNS zone NS RR records.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-APP-000516-DNS-000084 | SRG-APP-000516-DNS-000084 | SRG-APP-000516-DNS-000084_rule | Medium |
| Description |
|---|
| Poorly constructed NS records pose a security risk because they create conditions under which an adversary might be able to provide the missing authoritative name services that are improperly specified in the zone file. The adversary could issue bogus responses to queries that clients would accept because they learned of the adversary's name server from a valid authoritative name server, one that need not be compromised for this attack to be successful. If DNSSEC is enabled for a server, the ability to verify a particular server which may attempt to update the DNS server actually exists. This is done through the use of NSEC3 records to provide an "authenticated denial of existence" for specific systems whose addresses indicate that they lie within a particular zone. |
| STIG | Date |
|---|---|
| Domain Name System (DNS) Security Requirements Guide | 2014-07-11 |
Details
| Check Text ( C-SRG-APP-000516-DNS-000084_chk ) |
|---|
| This is dependent on the DoD-wide deployment of DNSSEC. Until full deployment is realized, this vulnerability may be considered NA, provided DNSSEC is NOT enabled on the DNS server. Review the zone file's configuration and confirm that, if DNSSEC is enabled, "authenticated denial of existence" is used to verify active name servers for the domain. If this is not the case, this is a finding. |
| Fix Text (F-SRG-APP-000516-DNS-000084_fix) |
|---|
| Configure all name servers’ existence to be verified through the use of NSEC3 records. |