Automatic Update of Trust Anchors must be enabled on key rollover.
An XCCDF Rule
Description
<VulnDiscussion>A trust anchor is a preconfigured public key associated with a specific zone. A validating DNS server must be configured with one or more trust anchors to perform validation. If the DNS server is running on a domain controller, trust anchors are stored in the forest directory partition in Active Directory Domain Services (AD DS) and can be replicated to all domain controllers in the forest. On standalone DNS servers, trust anchors are stored in a file named "TrustAnchors.dns". A DNS server running Windows Server also displays configured trust anchors in the DNS Manager console tree in the "Trust Points" container. Trust anchors can also be viewed by executing Windows PowerShell commands or "Dnscmd.exe" at a Windows command prompt.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-259384r945372_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account.
If not automatically started, initialize the Server Manager window by clicking its icon from the bottom left corner of the screen.
Once the Server Manager window is initialized, from the left pane, click to select the DNS category.