F5 BIG-IP TMOS DNS Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The validity period for the RRSIGs covering a zone's DNSKEY RRSet must be no less than two days and no more than one week.
The best way for a zone administrator to minimize the impact of a key compromise is by limiting the validity period of RRSIGs in the zone and in the parent zone. This strategy limits the time durin...Rule Medium Severity -
An authoritative name server must be configured to enable DNSSEC Resource Records.
The specification for a digital signature mechanism in the context of the DNS infrastructure is in IETF's DNSSEC standard. In DNSSEC, trust in the public key (for signature verification) of the sou...Rule Medium Severity -
The platform on which the name server software is hosted must be configured to respond to DNS traffic only.
Hosts that run the name server software must not provide any other services and therefore must be configured to respond to DNS traffic only. In other words, the only allowed incoming ports/protocol...Rule Medium Severity -
The validity period for the RRSIGs covering the DS RR for a zones delegated children must be no less than two days and no more than one week.
The best way for a zone administrator to minimize the impact of a key compromise is by limiting the validity period of RRSIGs in the zone and in the parent zone. This strategy limits the time durin...Rule Medium Severity -
SRG-APP-000383-DNS-000047
Group -
The F5 BIG-IP DNS implementation must prohibit recursion on authoritative name servers.
A potential vulnerability of DNS is that an attacker can poison a name server's cache by sending queries that will cause the server to obtain host-to-IP address mappings from bogus name servers tha...Rule Medium Severity -
SRG-APP-000516-DNS-000078
Group -
SRG-APP-000516-DNS-000089
Group -
SRG-APP-000516-DNS-000095
Group -
Primary authoritative name servers must be configured to only receive zone transfer requests from specified secondary name servers.
Authoritative name servers (especially primary name servers) must be configured with an allow-transfer access control substatement designating the list of hosts from which zone transfer requests ca...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.