The Key Signing Key (KSK) rollover interval must be configured to no less than one year.

From Infoblox 7.x DNS Security Technical Implementation Guide

Part of SRG-APP-000214-DNS-000079

Associated with: CCI-001179

SV-83025r3_rule The Key Signing Key (KSK) rollover interval must be configured to no less than one year.

Vulnerability discussion

The DNS root key is a cryptographic public-private key pair used for DNSSEC signing of the DNS root zone records. The root zone KSK serves as the anchor for the “chain of trust” that enables DNS resolvers to validate the authenticity of any signed data in the DNS. The integrity of the DNS depends on a secure root key. Rolling the KSK means generating a new cryptographic public and private key pair and distributing the new public component to parties who operate validating resolvers, including: Internet Service Providers; enterprise network administrators and other Domain Name System (DNS) resolver operators; DNS resolver software developers; system integrators; and hardware and software distributors who install or ship the root's "trust anchor." The KSK is used to cryptographically sign the Zone Signing Key (ZSK), which is used by the Root Zone Maintainer to DNSSEC-sign the root zone of the Internet's DNS.Maintaining an up-to-date KSK is essential to ensuring DNSSEC-validating DNS resolvers continue to function following the rollover. Failure to have the current root zone KSK will mean that DNSSEC-validating DNS resolvers will be unable to resolve any DNS queries.An attacker that has compromised a KSK can use that key for only as long as the signature interval of the RRSIG covering the DS RR in the delegating parent. To prevent the impact of a compromised KSK, a delegating parent should also set the signature validity period for RRSIGs covering DS RRs in the range of a few days to one week. This re-signing does not require frequent rollover of the parent's ZSK, but scheduled ZSK rollover should still be performed at regular intervals.

Check content

Note: For Infoblox DNS systems on a Classified network, this requirement is Not Applicable. Navigate to Data Management >> DNS >> Grid DNS properties. Toggle "Advanced Mode" and click on the "DNSSEC" tab. Validate the “Key-Signing Key Rollover Interval” is configured to a value of no less than one year. If the “Key-Signing Key Rollover Interval” is configured to more than one year, this is a finding.

Fix text

Navigate to Data Management >> DNS >> Grid DNS Properties. Toggle Advanced Mode and select the "DNSSEC" tab. Modify the “Key-Signing Key Rollover Interval” to a period of no less than one year. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. Perform a service restart if necessary. Follow manual key rollover procedures and ensure changes are published to all applicable systems, including parent DNS systems.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer