The Zone Signing Key (ZSK) rollover interval must be configured to less than two months.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-214202 | SRG-APP-000516-DNS-000078 | IDNS-7X-000710 | SV-214202r612370_rule | 2020-12-10 | 2 |
| Description |
|---|
| An attacker that has compromised a ZSK can use that key only during the KSK's signature validity interval. An attacker that has compromised a KSK can use that key for only as long as the signature interval of the RRSIG covering the DS RR in the delegating parent. These validity periods should be short, which will require frequent re-signing. To minimize the impact of a compromised ZSK, a zone administrator should set a rollover interval of no less than two months for the ZSK. |
| ℹ️ Check |
|---|
| Note: For Infoblox DNS systems on a Classified network, this requirement is Not Applicable. Review the Infoblox DNSSEC configuration and validate the ZSK rollover interval is configured for a range of no more than two months. Navigate to Data Management >> DNS >> Grid DNS properties. Toggle Advanced Mode and click on the "DNSSEC" tab. Validate the “Zone-Signing Key Rollover Interval” is configured to a value of less than two months. If the “Zone-Signing Key Rollover Interval” is configured to a value more than two months, this is a finding. When complete, click "Cancel" to exit the "Properties" screen. |
| ✔️ Fix |
|---|
| Navigate to Data Management >> DNS >> Grid DNS Properties. Toggle “Advanced Mode” and select the "DNSSEC" tab. Modify the “Zone-Signing Key Rollover Interval” to a period of less than two months. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. Perform a service restart if necessary. Follow manual key rollover procedures and ensure changes are published to all applicable systems, including parent DNS systems. |