STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 1 hour ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to F5 BIG-IP TMOS DNS Security Technical Implementation Guide

V-265990

CAT I (High)

The F5 BIG-IP DNS implementation must protect the authenticity of communications sessions for zone transfers.

Rule ID

SV-265990r1024864_rule

STIG

F5 BIG-IP TMOS DNS Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-001184

Discussion

DNS is a fundamental network service that is prone to various attacks, such as cache poisoning and man-in-the middle attacks. If communication sessions are not provided appropriate validity protections, such as the employment of DNSSEC, the authenticity of the data cannot be guaranteed.

Check Content

If the BIG-IP is transferring zones from another non-BIG-IP DNS server perform the following.

From the BIG-IP GUI:
1. DNS.
2. Zones.
3. Click on the Zone Name.
4. Under the TSIG section verify a "Server Key" is selected.

From the BIG-IP Console, type the following commands:

tmsh list ltm dns zone <name> server-tsig-key

Note: Must return a value other than "none".

If the BIG-IP appliance is not configured to protect the authenticity of communications sessions for zone transfers, this is a finding.

Fix Text

From the BIG-IP GUI:
1. DNS.
2. Zones.
3. Click on the Zone Name.
4. Under the TSIG section, select a "Server Key" from the drop-down menu.
5. Click "Update".

From the BIG-IP Console, type the following commands:
tmsh modify ltm dns zone <zone name> server-tsig-key <TSIG key name>
tmsh save sys config