The Windows DNS Server must implement a local cache of revocation data for PKI authentication.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-259371	SRG-APP-000401-DNS-000051	WDNS-22-000043	SV-259371r1015766_rule	2025-02-25	2

Description
Not configuring a local cache of revocation data could allow access to users who are no longer authorized (users with revoked certificates). SIG(0) is used for server-to-server authentication for DNS transactions, and it uses PKI-based authentication. In cases where SIG(0) is being used instead of TSIG (which uses a shared key, not PKI-based authentication), this requirement is applicable.

ℹ️ Check
Consult with the system administrator to determine if a third-party CRL server is being used for certificate revocation lookup. If there is, determine if a documented procedure is in place to store a copy of the CRL locally (local to the site, as an alternative to querying the actual Certificate Authorities). An example would be an OCSP responder installed at the local site. If there is no local cache of revocation data, this is a finding.

ℹ️ Check

Consult with the system administrator to determine if a third-party CRL server is being used for certificate revocation lookup. If there is, determine if a documented procedure is in place to store a copy of the CRL locally (local to the site, as an alternative to querying the actual Certificate Authorities). An example would be an OCSP responder installed at the local site. If there is no local cache of revocation data, this is a finding.

✔️ Fix
Configure local revocation data to be used in the event access to Certificate Authorities is hindered.