Skip to content
ATO Pathways
Log In
Overview
Search
Catalogs
SCAP
OSCAL
Catalogs
Profiles
Documents
References
Knowledge Base
Platform Documentation
Compliance Dictionary
Platform Changelog
About
Catalogs
XCCDF
Infoblox 8.x DNS Security Technical Implementation Guide
SRG-APP-000176-DNS-000094
SRG-APP-000176-DNS-000094
An XCCDF Group - A logical subset of the XCCDF Benchmark
Details
Profiles
Prose
SRG-APP-000176-DNS-000094
1 Rule
<GroupDescription></GroupDescription>
The Infoblox Grid Master must be configured as a stealth (hidden) domain name server in order to protect the Key Signing Key (KSK) residing on it.
High Severity
<VulnDiscussion>The private keys in the Key Signing Key (KSK) and ZSK key pairs must be protected from unauthorized access. If possible, the private keys should be stored offline (with respect to the internet-facing, DNSSEC-aware name server) in a physically secure, non-network-accessible machine along with the zone file master copy. This strategy is not feasible in situations in which the DNSSEC-aware name server has to support dynamic updates. To support dynamic update transactions, the DNSSEC-aware name server (which usually is a primary authoritative name server) must have both the zone file master copy and the private key corresponding to the ZSK (ZSK-private) online to immediately update the signatures for the updated resource record (RR) sets. The private key corresponding to the KSK (KSK-private) can still be kept offline. On Infoblox, Domain Name System Security Extension (DNSSEC) Zone Signing Keys (ZSKs) are stored on either a Hardware Security Module or the Infoblox Grid Master. By configuring the Grid Master as "stealth" to prevent client communications to the Infoblox Grid Master and ensuring the Grid Master uses an encrypted management tunnel to update DNS members serving DNSSEC signed zones, the DNSSEC keys are protected.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>