| 3.4 Restrict Zone-Transfers 'allow-transfer' | CIS ISC BIND 9.0/9.5 v2.0.0 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.1 Securely Authenticate Zone Transfers | CIS BIND DNS v3.0.1 Caching Only Name Server | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.1 Securely Authenticate Zone Transfers | CIS BIND DNS v3.0.1 Authoritative Name Server | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.2 Securely Authenticate Dynamic Updates - allow-update none or localhost | CIS BIND DNS v3.0.1 Authoritative Name Server | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.2 Securely Authenticate Dynamic Updates - update-policy grant or local | CIS BIND DNS v3.0.1 Authoritative Name Server | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.3 Securely Authenticate Update Forwarding | CIS BIND DNS v3.0.1 Authoritative Name Server | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| BIND-9X-001650 - A BIND 9.x server implementation must maintain the integrity and confidentiality of DNS information while it is being prepared for transmission, in transmission, and in use and must perform integrity verification and data origin verification for all DNS information. | DISA BIND 9.x STIG v3r1 | Unix | AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| BIND-9X-001770 - A BIND 9.x server must provide secure delegation to all child zones. | DISA BIND 9.x STIG v3r1 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| BIND-9X-001780 - The BIND 9.x server validity period for the RRSIGs covering the DS RR for zones delegated children must be no less than two days and no more than one week. | DISA BIND 9.x STIG v3r1 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| F5BI-DN-300013 - An authoritative name server must be configured to enable DNSSEC Resource Records. | DISA F5 BIG-IP TMOS DNS STIG v1r1 | F5 | AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| F5BI-DN-300030 - The validity period for the RRSIGs covering the DS RR for a zones delegated children must be no less than two days and no more than one week. | DISA F5 BIG-IP TMOS DNS STIG v1r1 | F5 | SYSTEM AND COMMUNICATIONS PROTECTION |
| WDNS-SC-000008 - The Windows 2012 DNS Server must be configured with the DS RR carrying the signature for the RR that contains the public key of the child zone. | DISA Microsoft Windows 2012 Server Domain Name System STIG v2r7 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| WDNS-SC-000009 - The Windows 2012 DNS Server must enforce approved authorizations between DNS servers through the use of digital signatures in the RRSet. | DISA Microsoft Windows 2012 Server Domain Name System STIG v2r7 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| WDNS-SC-000010 - The Name Resolution Policy Table (NRPT) must be configured in Group Policy to enforce clients to request DNSSEC validation for a domain. | DISA Microsoft Windows 2012 Server Domain Name System STIG v2r7 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| WDNS-SC-000011 - The Windows 2012 DNS Server must be configured to validate an authentication chain of parent and child domains via response data. | DISA Microsoft Windows 2012 Server Domain Name System STIG v2r7 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| WDNS-SC-000012 - Trust anchors must be exported from authoritative Windows 2012 DNS Servers and distributed to validating Windows 2012 DNS Servers. | DISA Microsoft Windows 2012 Server Domain Name System STIG v2r7 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| WDNS-SC-000013 - Automatic Update of Trust Anchors must be enabled on key rollover. | DISA Microsoft Windows 2012 Server Domain Name System STIG v2r7 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
