The Windows DNS Server must protect the authenticity of query responses via DNSSEC.
An XCCDF Rule
Description
<VulnDiscussion>The underlying feature in the major threat associated with DNS query/response (i.e., forged response or response failure) is the integrity of DNS data returned in the response. An integral part of integrity verification is to ensure that valid data has originated from the right source. DNSSEC is required for securing the DNS query/response transaction by providing data origin authentication and data integrity verification through signature verification and the chain of trust.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-259391r945329_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Sign or re-sign the hosted zone(s) on the DNS server being validated.
In the DNS Manager console tree on the DNS server being validated, navigate to "Forward Lookup Zones".
Right-click the zone (repeat for each hosted zone), point to DNSSEC, and then click "Sign the Zone" using either saved parameters or custom parameters.