CCI-001663

Provide the means to enable verification of a chain of trust among parent and child domains (if the child supports secure resolution services), when operating as part of a distributed, hierarchical namespace.

Details
Associations

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

CCI-001663

The Infoblox DNS server implementation must enforce approved authorizations for controlling the flow of information between DNS servers and between DNS servers and DNS clients based on DNSSEC policies.

The Infoblox DNS server must enable verification of a chain of trust among parent and child domains (if the child supports secure resolution services).

The Infoblox system implementation must enforce approved authorizations for controlling the flow of information between DNS servers and between DNS servers and DNS clients based on DNSSEC policies.

A DNS server implementation must provide the means to enable verification of a chain of trust among parent and child domains (if the child supports secure resolution services).

The Windows 2012 DNS Server must enforce approved authorizations between DNS servers through the use of digital signatures in the RRSet.

The Name Resolution Policy Table (NRPT) must be configured in Group Policy to enforce clients to request DNSSEC validation for a domain.

The Windows 2012 DNS Server must be configured to validate an authentication chain of parent and child domains via response data.

Trust anchors must be exported from authoritative Windows 2012 DNS Servers and distributed to validating Windows 2012 DNS Servers.

Automatic Update of Trust Anchors must be enabled on key rollover.

A BIND 9.x server implementation must maintain the integrity and confidentiality of DNS information while it is being prepared for transmission, in transmission, and in use and t must perform integrity verification and data origin verification for all DNS information.

A BIND 9.x server implementation must enforce approved authorizations for controlling the flow of information between authoritative name servers and specified secondary name servers based on DNSSEC policies.

The DNS server implementation must enforce approved authorizations for controlling the flow of information between DNS servers and between DNS servers and DNS clients based on DNSSEC policies.

An authoritative name server must be configured to enable DNSSEC Resource Records.

The Windows DNS Server must enforce approved authorizations between DNS servers using digital signatures in the Resource Record Set (RRSet).

The Windows DNS Server must be configured to validate an authentication chain of parent and child domains via response data.

Trust anchors must be exported from authoritative Windows DNS Servers and distributed to validating Windows DNS Servers.