The Windows DNS Server must implement cryptographic mechanisms to detect changes to information during transmission.
An XCCDF Rule
Description
<VulnDiscussion>Encrypting information for transmission protects it from unauthorized disclosure and modification. Cryptographic mechanisms implemented to protect information integrity include, for example, cryptographic hash functions that have common application in digital signatures, checksums, and message authentication codes. Confidentiality is not an objective of DNS, but integrity is. DNSSEC and TSIG/SIG(0) both digitally sign DNS information to authenticate its source and ensure its integrity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-259344r945246_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Sign or re-sign the hosted zone(s) on the DNS server being validated.
Log on to the DNS server using the account designated as Administrator or DNS Administrator.
Press the Windows key + R and execute "dnsmgmt.msc".