The Infoblox DNS server must enable verification of a chain of trust among parent and child domains (if the child supports secure resolution services).

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-233912	IDNS-8X-700007	SV-233912r621666_rule		Medium

Description
If name server replies are invalid or cannot be validated, many networking functions and communication would be adversely affected. With DNS, the presence of Delegation Signer (DS) records associated with child zones informs clients of the security status of child zones. These records are crucial to the DNSSEC chain of trust model. Each parent domain's DS record is used to verify the DNSKEY record in its subdomain, from the top of the DNS hierarchy down. A DNS server is an example of an information system providing name/address resolution service. Digital signatures and cryptographic keys are examples of additional artifacts. DNS resource records are examples of authoritative data. Applications other than the DNS to map between host/service names and network addresses must provide other means to ensure the authenticity and integrity of response data. DNSSEC provides the means to verify integrity assurances for the host/service name to network address resolution information obtained through the service. By using the delegation signer (DS) resource records in the DNS, the security status of a child domain can be validated. The DS resource record is used to identify the DNSSEC signing key of a delegated zone. The chain of trust is established starting with a trusted name server (such as the root name server) and moving down to the current source of response through successive verifications of signature of the public key of a child by its parent. The public key of the trusted name servers is called the trust anchor. After authenticating the source, the next process DNSSEC calls for is to authenticate the response. This requires that responses consist of not only the requested resource records (RRs) but also an authenticator associated with them. In DNSSEC, this authenticator is the digital signature of an RRSet. The digital signature of an RRSet is encapsulated through a special RRType called RRSIG. The DNS client using the trusted public key of the source (whose trust has just been established) then verifies the digital signature to detect if the response is valid or bogus. This control enables the DNS to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Without indication of the security status of a child domain and enabling verification of a chain of trust, integrity and availability of the DNS infrastructure cannot be assured.

Description

If name server replies are invalid or cannot be validated, many networking functions and communication would be adversely affected. With DNS, the presence of Delegation Signer (DS) records associated with child zones informs clients of the security status of child zones. These records are crucial to the DNSSEC chain of trust model. Each parent domain's DS record is used to verify the DNSKEY record in its subdomain, from the top of the DNS hierarchy down. A DNS server is an example of an information system providing name/address resolution service. Digital signatures and cryptographic keys are examples of additional artifacts. DNS resource records are examples of authoritative data. Applications other than the DNS to map between host/service names and network addresses must provide other means to ensure the authenticity and integrity of response data. DNSSEC provides the means to verify integrity assurances for the host/service name to network address resolution information obtained through the service. By using the delegation signer (DS) resource records in the DNS, the security status of a child domain can be validated. The DS resource record is used to identify the DNSSEC signing key of a delegated zone. The chain of trust is established starting with a trusted name server (such as the root name server) and moving down to the current source of response through successive verifications of signature of the public key of a child by its parent. The public key of the trusted name servers is called the trust anchor. After authenticating the source, the next process DNSSEC calls for is to authenticate the response. This requires that responses consist of not only the requested resource records (RRs) but also an authenticator associated with them. In DNSSEC, this authenticator is the digital signature of an RRSet. The digital signature of an RRSet is encapsulated through a special RRType called RRSIG. The DNS client using the trusted public key of the source (whose trust has just been established) then verifies the digital signature to detect if the response is valid or bogus. This control enables the DNS to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Without indication of the security status of a child domain and enabling verification of a chain of trust, integrity and availability of the DNS infrastructure cannot be assured.

STIG	Date
Infoblox 8.x DNS Security Technical Implementation Guide	2021-01-11

Details

Check Text ( C-37097r611256_chk )
Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable. The Authoritative Check applies to external-facing authoritative zones: 1. Navigate to Data Management >> DNS >> Zones. Note: To add "Signed" column, select an existing column >> down arrow >> Columns >> Edit Columns. Set the "Signed" check box to "Visible" and select "Apply". DNSSEC signing status will be displayed in the "Zones" tab. 2. Verify that external authoritative zones are DNSSEC signed. Recursive Check: 1. Navigate to Data Management >> DNS. Edit "Grid DNS Properties", toggle Advanced Mode, and select the DNSSEC tab. 2. Validate that both "Enable DNSSEC" and "Enable DNSSEC Validation" options are enabled. 3. When complete, click "Cancel" to exit the "Properties" screen. If DNSSEC is not used for authoritative DNS and enabled for recursive clients, this is a finding.

Check Text ( C-37097r611256_chk )

Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable.

The Authoritative Check applies to external-facing authoritative zones:

1. Navigate to Data Management >> DNS >> Zones.
Note: To add "Signed" column, select an existing column >> down arrow >> Columns >> Edit Columns. Set the "Signed" check box to "Visible" and select "Apply". DNSSEC signing status will be displayed in the "Zones" tab.
2. Verify that external authoritative zones are DNSSEC signed.

Recursive Check:
1. Navigate to Data Management >> DNS. Edit "Grid DNS Properties", toggle Advanced Mode, and select the DNSSEC tab.
2. Validate that both "Enable DNSSEC" and "Enable DNSSEC Validation" options are enabled.
3. When complete, click "Cancel" to exit the "Properties" screen.

If DNSSEC is not used for authoritative DNS and enabled for recursive clients, this is a finding.

Fix Text (F-37062r611257_fix)
Note: Ensure DNSSEC is configured to meet all other STIG requirements prior to signing a zone to avoid signing with an unapproved configuration. Authoritative Fix: 1. Navigate to Data Management >> DNS >> Zones. 2. Select the appropriate zone using the check box. From the "DNSSEC" drop-down menu, select "Sign Zones". 3. Follow prompts to acknowledge zone signing. 4. Perform a service restart if necessary. Recursive Fix: 1. Navigate to Data Management >> DNS >> Zones. 2. Edit "Grid DNS Properties", toggle Advanced Mode, and select the "DNSSEC" tab. 3. Enable both "Enable DNSSEC" and "Enable DNSSEC Validation" options. 4. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 5. Perform a service restart if necessary.

Fix Text (F-37062r611257_fix)

Note: Ensure DNSSEC is configured to meet all other STIG requirements prior to signing a zone to avoid signing with an unapproved configuration.

Authoritative Fix:
1. Navigate to Data Management >> DNS >> Zones.
2. Select the appropriate zone using the check box. From the "DNSSEC" drop-down menu, select "Sign Zones".
3. Follow prompts to acknowledge zone signing.
4. Perform a service restart if necessary.

Recursive Fix:
1. Navigate to Data Management >> DNS >> Zones.
2. Edit "Grid DNS Properties", toggle Advanced Mode, and select the "DNSSEC" tab.
3. Enable both "Enable DNSSEC" and "Enable DNSSEC Validation" options.
4. When complete, click "Save & Close" to save the changes and exit the "Properties" screen.
5. Perform a service restart if necessary.