Only the private key corresponding to the ZSK alone must be kept on the name server that does support dynamic updates.
An XCCDF Rule
Description
<VulnDiscussion>Infoblox systems when deployed in a Grid configuration store DNSSEC keys on the designated Grid Master system. As the central point of administration, the Grid Master should be configured for administration of the DNS, DHCP, and IP Address Management (IPAM) system. No clients should be configured to utilize the Grid Master or backup Candidate systems for protocol transactions. An alternative solution is through deployment of a Hardware Security Module (HSM), which provides hardware encrypted storage of key data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-214165r612370_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Navigate to Data Management >> DNS >> Zones.
Selecting the zone and click "Edit", then select the "Name Servers" tab.
Mark the Grid Master as "Stealth". If no other name servers are listed, one must be added before the configuration can be valid.
When complete, click "Save & Close" to save the changes and exit the "Properties" screen.