Skip to content

The DNS server implementation must uniquely identify the other DNS server before responding to a server-to-server transaction.

An XCCDF Rule

Description

<VulnDiscussion>Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. This applies to server-to-server (zone transfer) transactions only and is provided by TSIG/SIG(0), which enforces mutual server authentication using a key that is unique to each server pair (TSIG) or using PKI-based authentication (SIG(0)), thus uniquely identifying the other server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID
SV-205169r879599_rule
Severity
Medium
References
Updated



Remediation - Manual Procedure

Configure the DNS server to verify another DNS server's unique identify, through the use of TSIG or SIG(0), when accepting server-to-server (zone transfer) transactions from other DNS servers.