7.2 Enable DNSSEC Validation - dnssec-validation

Information

DNS Security Extensions or DNSSEC for short provides authentication of the name servers through public key cryptography. With DNSSEC, the name server signs its responses with its private key. This allows other name servers that have the public key of the name server to verify the integrity and authenticity of the response. DNSSEC also provides for signing of public keys so that delegated sub-domains may have their keys signed by a higher-level authority. This creates a chain of trust so that any name server that trusts the public key of the higher level signing authority can trust the signed key. It is recommended that DNSSEC be enabled and be configured to validate domains that are signed. DNSSEC and validation are enabled via the options dnssec-enable and dnssec-validation, respectively.

Rationale:

DNSSEC reliably authenticates DNS responses to prevent the DNS spoofing and cache poisoning attacks.

Solution

Perform the following for remediation:

- Check the BIND configuration files, and in the global options set the two options dnssec-enable and dnssec-validation to yes as shown below:

dnssec-enable yes
dnssec-validation yes

- Restart the named server.

Default Value:

DNSSEC and DNSSEC validation are enabled by default.

See Also

https://workbench.cisecurity.org/files/1735

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-20a., CSCv6|9

Plugin: Unix

Control ID: 058b4988ec14417181f2f11b1e31a9b27ec5170946cc46043bc99d2a237f91bb