On the BIND 9.x server CNAME records must not point to a zone with lesser security for more than six months.
An XCCDF Rule
Description
<VulnDiscussion>The use of CNAME records for exercises, tests, or zone-spanning aliases should be temporary (e.g., to facilitate a migration). When a host name is an alias for a record in another zone, an adversary has two points of attack: the zone in which the alias is defined and the zone authoritative for the alias's canonical name. This configuration also reduces the speed of client resolution because it requires a second lookup after obtaining the canonical name. Furthermore, in the case of an authoritative name server, this information is promulgated throughout the enterprise to caching servers and thus compounds the vulnerability.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-207600r612253_rule
- Severity
- Low
- References
- Updated
Remediation - Manual Procedure
In the case of third-party CDNs or cloud offerings, document the mission need with the AO.
Edit the zone file.
Remove CNAME records that are older than six months that do not meet the CDN or cloud offering criteria.