BIND-9X-001060 - A BIND 9.x caching name server must implement DNSSEC validation to check all DNS queries for invalid input - dnssec-validation


A common vulnerability of applications is unpredictable behavior when invalid inputs are received. This requirement guards against adverse or unintended system behavior caused by invalid inputs, where information system responses to the invalid input may be disruptive or cause the system to fail into an unsafe state.

Attacks may be generated by entering invalid data into DNS transactions, in the hopes that the data will not be handled correctly and will allow a vulnerable condition to be exploited. To safeguard against this, all untrusted data entered in DNS transactions (e.g., DNS queries) should be checked for validity before being processed further.


Enable DNSSEC validation on the name server.

Set the 'dnssec-validation' sub statement in the global options block to 'yes'.
Set the 'dnssec-enable' to 'yes'.

Configure the 'managed-keys' statement to use the root domains trust anchor.

Restart the BIND 9.x process.

See Also

Item Details


References: 800-53|SI-10(3), CAT|II, CCI|CCI-002754, Rule-ID|SV-207558r612253_rule, STIG-ID|BIND-9X-001060, STIG-Legacy|SV-87045, STIG-Legacy|V-72421, Vuln-ID|V-207558

Plugin: Unix

Control ID: 443fc5d89d3c306a5e8cef64126f030fd7e24117348bf6e7a1b49a1c5562dce3