Rule ID
SV-265989r1024498_rule
Version
V1R1
CCIs
The best way for a zone administrator to minimize the impact of a key compromise is by limiting the validity period of RRSIGs in the zone and in the parent zone. This strategy limits the time during which an attacker can take advantage of a compromised key to forge responses. An attacker that has compromised a ZSK can use that key only during the KSK's signature validity interval. An attacker that has compromised a KSK can use that key for only as long as the signature interval of the RRSIG covering the DS RR in the delegating parent. These validity periods must be short, which will require frequent resigning. To prevent the impact of a compromised KSK, a delegating parent must set the signature validity period for RRSIGs covering DS RRs in the range of a few days to one week. This resigning does not require frequent rollover of the parent's ZSK, but scheduled ZSK rollover must still be performed at regular intervals.
KSK validity period From the BIG-IP GUI: 1. DNS. 2. Delivery. 3. Keys. 4. DNSSEC Key List. 5. Click the Name of the KSK. 6. Verify the "Signature Validity Period" is between two and seven days. ZSK validity period From the BIG-IP GUI: 1. DNS. 2. Delivery. 3. Keys. 4. DNSSEC Key List. 5. Click the name of the ZSK. 6. Verify the "Signature Validity Period" is between two and seven days. If the BIG-IP appliance is not configured with a validity period for the RRSIGs covering a zones DNSKEY RRSet of no less than two days and no more than one week, this is a finding.
KSK validity period From the BIG-IP GUI: 1. DNS. 2. Delivery. 3. Keys. 4. DNSSEC Key List. 5. Click the Name of the KSK. 6. Configure the "Signature Validity Period" to two and seven days. 7. Click "Update". ZSK validity period From the BIG-IP GUI: 1. DNS. 2. Delivery. 3. Keys. 4. DNSSEC Key List. 5. Click the Name of the ZSK. 6. Configure the "Signature Validity Period" to two and seven days. 7. Click "Update".