The Zone Signing Key (ZSK) rollover interval must be configured to less than two months.

An XCCDF Rule

Description

<VulnDiscussion>An attacker that has compromised a ZSK can use that key only during the KSK's signature validity interval. An attacker that has compromised a KSK can use that key for only as long as the signature interval of the RRSIG covering the DS RR in the delegating parent. These validity periods should be short, which will require frequent re-signing. To minimize the impact of a compromised ZSK, a zone administrator should set a rollover interval of no less than two months for the ZSK. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-214202r612370_rule
Severity: Medium
References: CCI-000366
Updated: about 1 year ago

Navigate to Data Management >> DNS >> Grid DNS Properties. Toggle “Advanced Mode” and select the "DNSSEC" tab. 

Modify the “Zone-Signing Key Rollover Interval” to a period of less than two months. 

When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 
Perform a service restart if necessary. 

Follow manual key rollover procedures and ensure changes are published to all applicable systems, including parent DNS systems.

The Zone Signing Key (ZSK) rollover interval must be configured to less than two months.

Description

Remediation - Manual Procedure