7.2 Enable DNSSEC Validation - trust

Information

DNS Security Extensions or DNSSEC for short provides authentication of the name servers through public key cryptography. With DNSSEC, the name server signs its responses with its private key. This allows other name servers that have the public key of the name server to verify the integrity and authenticity of the response. DNSSEC also provides for signing of public keys so that delegated sub-domains may have their keys signed by a higher-level authority. This creates a chain of trust so that any name server that trusts the public key of the higher-level signing authority can trust the signed key. It is recommended that DNSSEC be enabled and be configured to validate domains that are signed. DNSSEC and validation are enabled via the options dnssec-enable and dnssec-validation, respectively.

Rationale:

DNSSEC reliably authenticates DNS responses to prevent the DNS spoofing and cache poisoning attacks.

Solution

Perform the following for remediation:

Check the BIND configuration files, and in the global options set the option dnssec-enable to yes, and option dnssec-validation to either yes or auto as shown below. The auto setting is generally preferred as the trust anchor will not need to be manually configured.

dnssec-enable yes
dnssec-validation auto

Restart the named server.

Default Value:

DNSSEC and DNSSEC validation are enabled by default.

See Also

https://workbench.cisecurity.org/files/2997

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5, 800-53|IA-5(1), CSCv6|9, CSCv7|16.4

Plugin: Unix

Control ID: fd41b91dc90b65b2ca195f68933cc7281609c5cd38380d7acd70eb2e7711562b