V-233913

Discussion

If data origin authentication and data integrity verification are not performed, the resultant response could be forged, it may have come from a poisoned cache, the packets could have been intercepted without the resolver's knowledge, or resource records could have been removed that would result in query failure or denial of service. Data integrity verification must be performed to thwart these types of attacks. Each client of name resolution services either performs this validation on its own or has authenticated channels to trusted validation providers. Information systems that provide name and address resolution services for local clients include, for example, recursive resolving or caching DNS servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. DNSSEC is intended for third-party authenticity determination. Attempting to utilize DNSSEC internally was never an intended use case as it would require every consumer to have a third-party validating resolver installed along with a mechanism for periodic trust anchor distribution/update. It is recommended for external zones only. Satisfies: SRG-APP-000426-DNS-000059, SRG-APP-000427-DNS-000060, SRG-APP-000428-DNS-000061, SRG-APP-000429-DNS-000062

Check Content

Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable. 

1. Validate that DNSSEC validation is enabled by navigating to Data Management >> DNS >> Grid DNS properties.
2. Toggle Advanced Mode and click on the "DNSSEC" tab. 
3. Verify that both "Enable DNSSEC" and "Enable DNSSEC validation" are enabled. 
4. When complete, click "Cancel" to exit the "Properties" screen. 

If both "Enable DNSSEC" and "Enable DNSSEC validation" are not enabled, this is a finding.