The F5 BIG-IP DNS server implementation must validate the binding of the other DNS server's identity to the DNS information for a server-to-server transaction (e.g., zone transfer).

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-265987	SRG-APP-000349-DNS-000043	F5BI-DN-300020	SV-265987r1024862_rule	2024-09-09	1

Description
Validation of the binding of the information prevents the modification of information between production and review. The validation of bindings can be achieved, for example, by the use of cryptographic checksums. Validations must be performed automatically. DNSSEC and TSIG/SIG(0) technologies are not effective unless the digital signatures they generate are validated to ensure that the information has not been tampered with and that the producer's identity is legitimate.

Description

Validation of the binding of the information prevents the modification of information between production and review. The validation of bindings can be achieved, for example, by the use of cryptographic checksums. Validations must be performed automatically. DNSSEC and TSIG/SIG(0) technologies are not effective unless the digital signatures they generate are validated to ensure that the information has not been tampered with and that the producer's identity is legitimate.

ℹ️ Check
From the BIG-IP GUI: 1. DNS. 2. Delivery. 3. Nameservers. 4. Click the Name of the Nameserver. 5. Verify that a value is selected for "TSIG Key". If the BIG-IP appliance is not configured to validate the binding of the other DNS server's identity to the DNS information for a server-to-server transaction (e.g., zone transfer), this is a finding.

✔️ Fix
From the BIG-IP GUI: 1. DNS. 2. Delivery. 3. Nameservers. 4. Click the Name of the Nameserver. 5. Select a value from the "TSIG Key" drop-down menu. Note: To create a TSIG Key, go to DNS >> Delivery >> Keys >> TSIG Key List. 6. Click "Finished".