Rule ID
SV-233906r1082703_rule
Version
V1R2
CCIs
Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The application must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.
Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable. Note: For Infoblox Grids that run in FIPS mode, this requirement is Not Applicable. Refer to the Administrator Guide for more information on FIPS Mode. 1. Navigate to Data Management >> DNS >> Grid DNS properties. 2. Toggle Advanced Mode and click on the "DNSSEC" tab. 3. Validate that all Key Signing Keys (KSKs) and Zone Signing Keys (ZSKs) use FIPS-approved algorithms. 4. When complete, click "Cancel" to exit the "Properties" screen. If non-FIPS-approved algorithms are in use, this is a finding.
Note: Ensure DNSSEC is configured to meet all other STIG requirements prior to signing a zone to avoid signing with an unapproved configuration. 1. Navigate to Data Management >> DNS >> Grid DNS properties. 2. Toggle Advanced Mode and click on the "DNSSEC" tab. 3. Configure FIPS-compliant algorithms. 4. Follow manual key rollover procedures and update all noncompliant KSKs and ZSKs to use FIPS-approved algorithms.