The DNS server implementation must validate the binding of the other DNS servers identity to the DNS information for a server-to-server transaction (e.g., zone transfer).

From Domain Name System (DNS) Security Requirements Guide

Associated with: CCI-000366 CCI-001904

SV-69221r1_rule The DNS server implementation must validate the binding of the other DNS servers identity to the DNS information for a server-to-server transaction (e.g., zone transfer).

Vulnerability discussion

Validation of the binding of the information prevents the modification of information between production and review. The validation of bindings can be achieved, for example, by the use of cryptographic checksums. Validations must be performed automatically.DNSSEC and TSIG/SIG(0) technologies are not effective unless the digital signatures they generate are validated to ensure that the information has not been tampered with and that the producer's identity is legitimate.

Check content

Review the DNS server implementation configuration to determine if the DNS server validates the binding of the other DNS server's identity to the DNS information for a server-to-server transaction (e.g., zone transfer). If the DNS server does not validate the binding of the other DNS server's identity to the DNS information, this is a finding.

Fix text

Configure the DNS server to validate the binding of the other DNS server's identity to the DNS information for a server-to-server transaction (e.g., zone transfer).

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.