From Infoblox 7.x DNS Security Technical Implementation Guide
Part of SRG-APP-000176-DNS-000096
Associated with: CCI-000186
Infoblox systems when deployed in a Grid configuration store DNSSEC keys on the designated Grid Master system. As the central point of administration, the Grid Master should be configured for administration of the DNS, DHCP, and IP Address Management (IPAM) system. No clients should be configured to utilize the Grid Master or backup Candidate systems for protocol transactions.
Note: For Infoblox DNS systems on a Classified network, this requirement is Not Applicable. By default KSK private keys are stored on the Grid Master. The Grid Master will by default enable the DNS service when DNSSEC is enabled for internal processing. No clients are permitted to utilize the Grid Master DNS service. Navigate to Data Management >> DNS >> Zones. Review each zone by selecting the zone and clicking edit, and selecting the "Name Servers" tab. If the Grid Master is a listed name server and not marked "Stealth", this is a finding. If a HSM is utilized, no further checks are necessary. When complete, click "Cancel" to exit the "Properties" screen.
If the Grid Master stores the keys, review each DNS zone name server configuration to ensure the Grid Master does not appear as a name server (NS record); when configured in this manner the Grid Master is configured as a stealth name server and does not service client requests. Refer to the Infoblox STIG Overview document for additional information on HSM usage.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer