WDNS-SC-000021 - The Windows 2012 DNS Server must protect the authenticity of query responses via DNSSEC.

Information

The underlying feature in the major threat associated with DNS query/response (i.e., forged response or response failure) is the integrity of DNS data returned in the response. An integral part of integrity verification is to ensure that valid data has originated from the right source. DNSSEC is required for securing the DNS query/response transaction by providing data origin authentication and data integrity verification through signature verification and the chain of trust.

Solution

Sign, or re-sign, the hosted zone(s) on the DNS server being validated.

In the DNS Manager console tree on the DNS server being validated, navigate to Forward Lookup Zones.

Right-click the zone (repeat for each hosted zone), point to DNSSEC, and then click Sign the Zone, either using saved parameters or custom parameters.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_2012_Server_DNS_V2R5_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-23, CAT|II, CCI|CCI-001184, Rule-ID|SV-215628r561297_rule, STIG-ID|WDNS-SC-000021, STIG-Legacy|SV-73119, STIG-Legacy|V-58689, Vuln-ID|V-215628

Plugin: Windows

Control ID: df77672ac228fac80b87572739e80428e28e18669c8362e5af5f8ee230fffe38