From Domain Name System (DNS) Security Requirements Guide
Part of SRG-APP-000516-DNS-000078
Associated with: CCI-000366
The best way for a zone administrator to minimize the impact of a key compromise is by limiting the validity period of RRSIGs in the zone and in the parent zone. This strategy limits the time during which an attacker can take advantage of a compromised key to forge responses. An attacker that has compromised a ZSK can use that key only during the KSK's signature validity interval. An attacker that has compromised a KSK can use that key for only as long as the signature interval of the RRSIG covering the DS RR in the delegating parent. These validity periods should be short, which will require frequent re-signing.
Review the DNS configuration files. Ensure the validity period for RRSIGs has been explicitly configured and is configured for a range of no less than two days and no more than one week. If the validity period for the RRSIGs covering a zone's DNSKEY RRSet is less than two days or greater than one week, this is a finding.
Configure RRSIGs covering each zone's DNSKEY RRSet to be greater than two days and less than one week.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer