WDNS-SC-000013 - Automatic Update of Trust Anchors must be enabled on key rollover.

Information

A trust anchor is a preconfigured public key associated with a specific zone. A validating DNS server must be configured with one or more trust anchors in order to perform validation. If the DNS server is running on a domain controller, trust anchors are stored in the forest directory partition in Active Directory Domain Services (AD DS) and can be replicated to all domain controllers in the forest. On standalone DNS servers, trust anchors are stored in a file named TrustAnchors.dns. A DNS server running Windows Server 2012 or Windows Server 2012 R2 also displays configured trust anchors in the DNS Manager console tree in the Trust Points container. Trust anchors can also be viewed by executing Windows PowerShell commands or Dnscmd.exe at a Windows command prompt.

Solution

Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account.

If not automatically started, initialize the Server Manager window by clicking its icon from the bottom left corner of the screen.

Once the Server Manager window is initialized, from the left pane, click to select the DNS category.

From the right pane, under the SERVERS section, right-click the DNS server.

From the context menu that appears, click DNS Manager.

On the opened DNS Manager snap-in from the left pane, expand the server name and then expand Forward Lookup Zones.

From the expanded list, click to select and then right-click the zone name.

From the displayed context menu, click DNSSEC>>Properties.

Click the KSK tab.

For each KSK that is listed under Key signing keys (KSKs), click the KSK, click Edit, and in the Key Rollover section, select the 'Enable automatic rollover' check box.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_2012_Server_DNS_V2R7_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-20b., CAT|II, CCI|CCI-001663, Rule-ID|SV-215621r961107_rule, STIG-ID|WDNS-SC-000013, STIG-Legacy|SV-73105, STIG-Legacy|V-58675, Vuln-ID|V-215621

Plugin: Windows

Control ID: 22b5636a2c505aad3d5429f0029183a6a10f88f98439831a8b36ae5c7b5f369f