F5 BIG-IP TMOS DNS Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-APP-000516-DNS-000102
Group -
The F5 BIG-IP DNS must use valid root name servers in the local root zone file.
All caching name servers must be authoritative for the root zone because, without this starting point, they would have no knowledge of the DNS infrastructure and thus would be unable to respond to ...Rule Medium Severity -
SRG-APP-000516-DNS-000109
Group -
SRG-APP-000516-DNS-000090
Group -
The digital signature algorithm used for DNSSEC-enabled zones must be set to use RSA/SHA256 or RSA/SHA512.
The choice of digital signature algorithm will be based on recommended algorithms in well-known standards. NIST's Digital Signature Standard (DSS) (FIPS186) provides three algorithm choices: - Digi...Rule High Severity -
SRG-APP-000349-DNS-000043
Group -
The F5 BIG-IP DNS server implementation must validate the binding of the other DNS server's identity to the DNS information for a server-to-server transaction (e.g., zone transfer).
Validation of the binding of the information prevents the modification of information between production and review. The validation of bindings can be achieved, for example, by the use of cryptogra...Rule Medium Severity -
SRG-APP-000213-DNS-000024
Group -
A BIG-IP DNS server implementation must provide additional data origin artifacts along with the authoritative data the system returns in response to external name/address resolution queries.
The underlying feature in the major threat associated with DNS query/response (e.g., forged response or response failure) is the integrity of DNS data returned in the response. The security objecti...Rule Medium Severity -
SRG-APP-000214-DNS-000079
Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.