From Infoblox 7.x DNS Security Technical Implementation Guide
Part of SRG-APP-000158-DNS-000015
Associated with: CCI-000778
Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. This applies to server-to-server (zone transfer) transactions only and is provided by TSIG, which enforces mutual server authentication using a key that is unique to each server pair (TSIG), thus uniquely identifying the other server.
Navigate to Data Management >> DNS >> Zones tab. Review each zone by clicking Edit and inspecting the "Name Servers" tab. If the all entries in the "Type" column are configured as "Grid", this check is not applicable. Verify that each zone which contains non-Grid name servers is further verified by inspection of the "Zone Transfers" tab and configuration of TSIG Access Control Entry (ACE). If there is a non-Grid system which utilizes zone transfers but does not have a TSIG key, this is a finding. When complete, click "Cancel" to exit the "Properties" screen.
Navigate to Data Management >> DNS >> Zones tab. Select a zone and click "Edit". Click on "Zone Transfers" tab, and click "Override" for the "Allow Zone Transfers to" section. Use the radio button to select "Set of ACEs" and the "Add" dropdown to configure a TSIG key. It is important to verify that both the Infoblox and other DNS server have the identical TSIG configuration. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. Perform a service restart if necessary. Verify zone transfers are operational after configuration of TSIG.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer