From Infoblox 7.x DNS Security Technical Implementation Guide
Part of SRG-APP-000516-DNS-000078
Associated with: CCI-000366
An attacker that has compromised a ZSK can use that key only during the KSK's signature validity interval. An attacker that has compromised a KSK can use that key for only as long as the signature interval of the RRSIG covering the DS RR in the delegating parent. These validity periods should be short, which will require frequent re-signing.
Note: For Infoblox DNS systems on a Classified network, this requirement is Not Applicable. Review the Infoblox DNSSEC configuration and validate the ZSK rollover interval is configured for a range of no less than two months. Navigate to Data Management >> DNS >> Grid DNS properties. Toggle Advanced Mode and click on the "DNSSEC" tab. Validate the “Zone-Signing Key Rollover Interval” is configured to a value of no less than two months. If the “Zone-Signing Key Rollover Interval” is configured to a value less than two months, this is a finding. When complete, click "Cancel" to exit the "Properties" screen.
Navigate to Data Management >> DNS >> Grid DNS Properties. Toggle “Advanced Mode” and select the "DNSSEC" tab. Modify the “Zone-Signing Key Rollover Interval” to a period of no less than two months. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. Perform a service restart if necessary. Follow manual key rollover procedures and ensure changes are published to all applicable systems, including parent DNS systems.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer