Details
Encrypting information for transmission protects information from unauthorized disclosure and modification. Cryptographic mechanisms implemented to protect information integrity include, for example, cryptographic hash functions which have common application in digital signatures, checksums, and message authentication codes.
Confidentiality is not an objective of DNS, but integrity is. DNSSEC and TSIG/SIG(0) both digitally sign DNS information to authenticate its source and ensure its integrity.
Solution
Sign, or re-sign, the hosted zone(s) on the DNS server being validated.
Log on to the DNS server using the account designated as Administrator or DNS Administrator.
Press Windows Key + R, execute dnsmgmt.msc.
On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones.
From the expanded list, right-click to select the zone (repeat for each hosted zone), point to DNSSEC, and then click Sign the Zone, either using approved saved parameters or approved custom parameters.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Windows.
References
- 800-53|CM-6b.
- CAT|II
- CCI|CCI-000366
- Rule-ID|SV-215577r561297_rule
- STIG-ID|WDNS-CM-000007
- STIG-Legacy|SV-73017
- STIG-Legacy|V-58587
- Vuln-ID|V-215577