Skip to content
Log In

Domain Name System (DNS) Security Requirements Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • SRG-APP-000516

    Group
    Show

  • A unique TSIG key must be generated for each pair of communicating hosts.

    To enable zone transfer (requests and responses) through authenticated messages, it is necessary to generate a key for every pair of name servers. The key also can be used for securing other transa...
    Rule Medium Severity
    Show

  • SRG-APP-000516

    Group
    Show

  • All authoritative name servers for a zone must be geographically disbursed.

    In addition to network-based dispersion, authoritative name servers should be dispersed geographically as well. In other words, in addition to being located on different network segments, the autho...
    Rule Medium Severity
    Show

  • SRG-APP-000805

    Group
    Show

  • The DNS server implementation must automatically generate audit records of the enforcement actions.

    Organizations log system accesses associated with applying configuration changes to ensure that configuration change control is implemented and to support after-the-fact actions should organization...
    Rule Medium Severity
    Show

  • SRG-APP-000810

    Group
    Show

  • The DNS server implementation must prevent the installation of organization-defined software and firmware components without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.

    Software and firmware components prevented from installation unless signed with recognized and approved certificates include software and firmware version updates, patches, service packs, device dr...
    Rule Medium Severity
    Show

  • SRG-APP-000815

    Group
    Show

  • The DNS server implementation must require users to be individually authenticated before granting access to the shared accounts or resources.

    Individual authentication prior to shared group authentication mitigates the risk of using group accounts or authenticators.
    Rule Medium Severity
    Show

  • SRG-APP-000820

    Group
    Show

  • SRG-APP-000825

    Group
    Show

  • The DNS server implementation must provide protected storage for cryptographic keys with organization-defined safeguards and/or hardware protected key store.

    A Trusted Platform Module (TPM) is an example of a hardware-protected data store that can be used to protect cryptographic keys.
    Rule Medium Severity
    Show

  • SRG-APP-000920

    Group
    Show

  • SRG-APP-000830

    Group
    Show

  • SRG-APP-000835

    Group
    Show

  • The DNS server implementation must, for password-based authentication, update the list of passwords on an organization-defined frequency.

    Password-based authentication applies to passwords regardless of whether they are used in single-factor or multifactor authentication. Long passwords or passphrases are preferable over shorter pass...
    Rule Medium Severity
    Show

  • SRG-APP-000840

    Group
    Show

  • SRG-APP-000845

    Group
    Show

  • SRG-APP-000850

    Group
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules