The DNS server implementation must uniquely identify the other DNS server before responding to a server-to-server transaction.
An XCCDF Rule
Description
<VulnDiscussion>Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. This applies to server-to-server (zone transfer) transactions only and is provided by TSIG/SIG(0), which enforces mutual server authentication using a key that is unique to each server pair (TSIG) or using PKI-based authentication (SIG(0)), thus uniquely identifying the other server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-205169r960999_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Configure the DNS server to verify another DNS server's unique identify, through the use of TSIG or SIG(0), when accepting server-to-server (zone transfer) transactions from other DNS servers.