kriterion 0.0.1

data/standards/stig_desktop_applications_general.json

@@ -0,0 +1,41 @@
+{
+  "name": "stig_desktop_applications_general",
+  "date": "2014-10-03",
+  "description": "None",
+  "title": "Desktop Applications General",
+  "version": "None",
+  "item_syntax": "^\\w-\\d+$",
+  "section_separator": null,
+  "items": [
+    {
+      "id": "V-6355",
+      "title": "An appropriate backup strategy does not exist for the data.",
+      "description": "Data integrity and availability are key security objectives.  Adequate data backup is one strategy that is crucial to meeting these objectives.  Although users of desktop applications may not be creating mission critical data, all their data represents a resource that, if lost, could result in a permanent loss of information or productivity.\n\nA backup strategy is highly dependent on the physical and logical environments.  In environments where users frequently operate disconnected from a LAN, as in the case of notebook PC users who travel, it is not generally practical for the users to store all their data on a file server.  Developers may require standalone copies of program code while additions or alterations are in progress.  For these and other reasons, strict requirements for desktop backup are not addressed in this document.  However, this section does provide recommendations that should be considered.\n\nUsers should make conscious decisions about the physical location where desktop application data is stored.  They should be aware of the backup policy for that location.  Any backup policy should be implemented in accordance with the following:\n\n-\tMission critical data should be stored on file servers with a formal data backup policy.  Storage of mission critical data on desktop machines should be considered temporary.\n\n-\tTo the greatest extent possible, data files should be stored in a directory hierarchy that is separate from program files.\n\n-\tAn incremental, or change-based, backup solution can be used daily.\n\n-\tA full data backup solution should be used at least weekly.\n\n-\tUse of a Compact Disk-Recordable (CD-R) or Compact Disk-ReWritable (CD-RW) drive should be considered for desktop machines.  CD-R and CD-RW disks provide high capacity at relatively low cost.\n\n-\tThe backup data should be stored on media or another machine that is not physically close to the original data source.\n\n-\tBackup media should receive proper care according to its characteristics.  Regular rotation of tape media is necessary to ensure usability.  The media should be clearly labeled, including any appropriate security classification marking.\n\n-\tBackup tools and schedules should be documented.\n\n-\tRestoration tools and methods should be documented and they should be tested via restoration at least annually.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6356",
+      "title": "Public instant message clients are installed.",
+      "description": "Instant Messaging or IM clients provide a way for a user to send a message to one or more other users in real time.  Additional capabilities may include file transfer and support for distributed game playing.  Communication between clients and associated directory services are managed through messaging servers.  Commercial IM clients include AOL Instant Messenger (AIM), MSN Messenger, and Yahoo! Messenger, and Skype.  The Windows XP operating system includes the Windows Messenger component as an IM client.  (This should not be confused with Windows Messaging which is a service within Windows.)\n\nIM clients present a security issue when the clients route messages through public servers.  The obvious implication is that potentially sensitive information could be intercepted or altered in the course of transmission.  This same issue is associated with the use of public e-mail servers.\n\nIn order to reduce the potential for disclosure of sensitive Government information and to ensure the validity of official government information, IM clients that connect to public instant messaging services will not be installed. \n\nNOTE:  Clients used to access an internal or DoD controlled IM applications are permitted.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6357",
+      "title": "Peer to Peer clients or utilities are installed.",
+      "description": "File-sharing utilities and clients can provide the ability to share files with other users (Peer-to-Peer Sharing).  This type of utility is a security risk due to the potential risk of loss of sensitive data and the broadcast of the existence of a computer to others.  There are also many legal issues associated with these types of utilities including copyright infringement and intellectual property issues.  These types of utilities and clients include the following examples, Napster, Gnutella, Kazaa, and Freenet.\n\nNOTE:  Clients used to access an internal or DoD controlled file-sharing system are permitted.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6878",
+      "title": "Execution Restricted File Type Properties ",
+      "description": "For certain file types, it is necessary to take steps to ensure that the default method of opening the file does not allow mobile code to be executed.  Two techniques to achieve this goal are discussed here—altering the default file type Action and deleting the file type definition.  Although methods of removing Microsoft’s Windows Script Host (WSH) component might meet most of this requirement, that technique should not be the first choice.  It would disable functionality that might be in use for other purposes, and the specific method used would have to be compatible with the Windows File Protection (WFP) feature present in later versions of Windows.\n\nThe default Action property can be altered to change the standard default Action from Open to Edit.  When this technique is used, instead of executing a program with the file contents as code, an editor is opened with the file contents as a document.  For example for a .vbs file, the Open action may be the command ’C:\\WINNT\\System32\\Wscript.exe \"%1\" %*’ and the Edit action may be the command ‘C:\\WINNT\\System32\\Notepad.exe \"%1\" %*’.  Changing the default action to Edit results in a Notepad window opening up instead of the file being executed by the Windows Scripting Host when the .vbs file is opened.  For non-technical user communities, an alternative that may be more appropriate is to have the Edit action be the command ’C:\\WINNT\\System32\\Notepad.exe \"C:\\MC_Warn.txt\"’, where the file C:\\MC_Warn.txt is created locally and contains a warning that the user has attempted to open a potentially dangerous file.\n\nWhen altering the default file type Action is the technique used, the Always show extension setting adds additional value.  This ensures that users can see the file type before attempting to open it.\n\nWhile the alternate technique of deleting existing Windows file type definitions does provide security, it is not always a more secure long-term solution.  During maintenance or product installation, a non-existent file type is usually defined while existing file type properties are usually not overwritten.\n\nRegardless of which technique is used, the significant result is that when an attempt is made to open certain files using default application actions, any code in the file is not executed.\n\nFIle extensions of certain files should not be hidden.  Users can double click a file without knowing what type of file (or which application) is being opened.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6879",
+      "title": "Open-restricted File Type Properties",
+      "description": "For some file types, providing the user an opportunity to cancel the opening of the file provides adequate protection for most environments.  Files that are opened with applications that include internal controls on code execution are good candidates for this technique.\n\nThe Open Confirmation property, enabled through the Confirm open after download setting, provides a notice to the user that allows them to open the file, save the file to disk, or cancel the file open task.  The Always show extension setting adds additional value. This ensures that users can see the file type before attempting to open it.\n\nThe Values of confirm after download and always show extension give the users additional information about a file so a decision can be made as to whether it should be opened.\n\nThe command line tool, ’assoc’, can be used to determine if a given file type definition exists.  For example, on typical Windows systems the command ’assoc.bat’ returns ’.bat=batfile’ indicating that the extension .bat is defined and that the properties are stored in the Windows Registry under the key batfile.\n\nWindows Explorer can be used to manually display and configure the Actions, Always Show Extension, and Open Confirmation properties.  In Windows 2000 and XP use the File Types tab of the Tools | Folder Options dialog in Windows Explorer.\n\nIt must be recognized that performing these changes does not eliminate the danger from malicious code.  Such code could come from a number of sources and use trigger techniques other than the Windows file type open action.  Thus the changes documented here are not a substitute for an anti-virus tool with current definitions.\n\nNOTE:\tThe application of this change affects the behavior of all Windows applications that utilize the affected Registry settings.\n",
+      "severity": "medium"
+    }
+  ]
+}

data/standards/stig_dns_policy.json

@@ -0,0 +1,155 @@
+{
+  "name": "stig_dns_policy",
+  "date": "2018-04-05",
+  "description": "The DNS Policy Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems.  Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.",
+  "title": "DNS Policy",
+  "version": "4",
+  "item_syntax": "^\\w-\\d+$",
+  "section_separator": null,
+  "items": [
+    {
+      "id": "V-13032",
+      "title": "A name server is not protected by equivalent or better physical access controls than the clients it supports.",
+      "description": "If an adversary can compromise a name server, then the adversary can redirect most network traffic sent to the hosts defined on that name server.  Therefore, the security of the name server is as critical as the security of the hosts it protects.  It is understood that different hosts require different levels of physical security.  Nevertheless, the name server should not have weaker physical access controls than the computers it supports because this would, in effect, reduce the security of those hosts as well.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-13034",
+      "title": "The DNS log archival requirements do not meet or exceed the log archival requirements of the operating system on which the DNS software resides.",
+      "description": "Name servers are dedicated to the DNS function and, as a result, the most critical security and operations events on those name servers will appear in the DNS logs.  Different sites may have different policies regarding archival, but the DNS logs should be maintained in an equivalent (or better) manner as the operating system logs.  Therefore, if operating system logs are stored for a year, then DNS logs should be stored for at least a year.  If operating system logs are written to read-only media, then the DNS logs should be written to read-only media as well.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-13035",
+      "title": "DNS logs are not reviewed daily or a real-time log analysis or network management tool is not employed to immediately alert an administrator of critical DNS system messages.",
+      "description": "If a responsible administrator does not review DNS logs daily, then there is the potential that an attack or other security issue can go unnoticed for a day or more, which is unacceptable in DOD environments.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-13036",
+      "title": "A list of personnel authorized to administer each zone and name server is not maintained.",
+      "description": "If an organization does not document who is responsible for the DNS function, then there is a significant potential that unauthorized individuals will obtain privileged access to name servers. During a security breach, it will be difficult to assign accountability for improper transactions if it is not known who is responsible for this function.\n\nThe roles of the SA and the DNS administrator or DNS manager are generally understood but are often used interchangeably. The SA is responsible for the OS, while the DNS administrator or DNS manager usually manages the DNS zones. In some cases, the SA is also the DNS administrator/DNS manager, which is why guidance tends to be written in a certain fashion. The application development group should refer to the supporting organization for the application when application issues arise from meeting DNS server requirements.\n",
+      "severity": "low"
+    },
+    {
+      "id": "V-13037",
+      "title": "A patch and DNS software upgrade log; to include the identity of the administrator, date and time each patch or upgrade was implemented,  is not maintained.",
+      "description": "DNS software has a history of vulnerabilities and new ones may be discovered at any time.  To ensure that attackers cannot take advantage of known DNS vulnerabilities applicable software patches and patches must be applied.  Patch and DNS software upgrade documentation must be maintained to ensure the DNS name servers are protected from these vulnerabilities and current with required patches and software upgrades.",
+      "severity": "low"
+    },
+    {
+      "id": "V-13038",
+      "title": "Operating procedures do not require that DNS configuration, keys, zones, and resource record data are backed up on any day on which there are changes.",
+      "description": "If a name servers configuration, keys, zones, and resource record information is not backed up on any day in which there are changes, there is a risk that an organization cannot quickly recover from the loss of the server.  In addition, forensic analysis of security incidents is considerably more difficult if there is not reliable evidence of when changes may have occurred.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-13039",
+      "title": "Configuration change logs and justification for changes are not maintained.",
+      "description": "If changes are made to the configuration without documentation, it is often difficult to determine the root cause of an operational problem or understand the circumstances in which a security breach occurred.  Without adequate configuration change records, it is also more difficult for the IAO and other oversight personnel to track major activity, which is critical to information assurance.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-13040",
+      "title": "Written procedures for the replacement of cryptographic keys used to secure DNS transactions does not exist. ",
+      "description": "Without adequate TSIG supersession procedures, there is the potential that an unauthorized person may be able to compromise the key.  Once in possession of the key, that individual might be able to update DNS records by configuring a machine to masquerade as a zone partner.  Since name servers are configured to accept updates signed by a valid key, there may be no other administrative or technical controls to prevent this type of security breach.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-13041",
+      "title": "The IAO has not established written procedures for the process of updating zone records, who is authorized to submit and approve update requests, how the DNS administrator verifies the identity of the person from whom he/she received the request, and how the DNS administrator documents any changes made. ",
+      "description": "If the procedures for updating zone records are inadequate, then this increases the probability that adversary  perhaps even an insider will be able to modify the DNS records using weaknesses in administrative processes rather than weaknesses in technical controls.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-13042",
+      "title": "An authoritative master name server does not have at least one and preferably two or more active slave servers for each of its zones. The slave server does not reside on a separate host.",
+      "description": "A critical component of securing an information system is ensuring its availability.  The best way to ensure availability is to eliminate any single point of failure in the system itself and in the network architecture that supports it.\n\nFortunately, the inherent design of DNS supports a high-availability environment.  Master and slave servers regularly communicate zone information, so if any name server is disabled at any time, another can immediately provide the same service.  The task for the network architect is to ensure that a disaster or outage cannot simultaneously impact both the master and all of its slave servers.  If a disaster occurs, the DNS protocols cannot prevent total loss of name resolution services for hosts within affected zones.\n",
+      "severity": "high"
+    },
+    {
+      "id": "V-13043",
+      "title": "Name servers authoritative for a zone are not located on separate network segments if the host records described in the zone are themselves located across more than one network segment.",
+      "description": "A critical component of securing an information system is ensuring its availability.  The best way to ensure availability is to eliminate any single point of failure in the system itself and in the network architecture that supports it.\n\nFortunately, the inherent design of DNS supports a high-availability environment.  Master and slave servers regularly communicate zone information, so if any name server is disabled at any time, another can immediately provide the same service.  The task for the network architect is to ensure that a disaster or outage cannot simultaneously impact both the master and all of its slave servers.  If a disaster occurs, the DNS protocols cannot prevent total loss of name resolution services for hosts within affected zones.\n\nThe solution is to disperse name servers in such a way as to avoid single points of failure.  At minimum, authoritative name servers for the same zone should be on different network segments in order that at least one name server is available in the event that a router or switch fails.  This fault tolerance should also extend to wide area data communications lines.  For example, if a site has multiple leased lines connecting the network on which the name server resides to a larger network such as the NIPRNet, routing protocols should be configured such that if one of the lines fails, another one will still be available to support the name server.\n",
+      "severity": "high"
+    },
+    {
+      "id": "V-13044",
+      "title": "A zone includes hosts located in more than one building or site, yet at least one of the authoritative name servers supporting the zone is not as geographically and topologically distributed as the most remote host.\n\n",
+      "description": "When authoritative name servers are co-located in the same facility, the loss of the facility likely leads to the loss of access to all servers defined in their zones (i.e., nobody can resolve their names).  If one or more of the hosts in the supported zones are located at a different site, they would be effectively down even though they would otherwise be fully operational.  This scenario can only be prevented with geographic dispersal of name servers.  Organizations should also be prepared for greater disasters, such as the destruction of a building, an entire campus, or in the case of a hurricane, an entire city.  In situations in which all the hosts defined on an authoritative name server are located in the same building as the name server, then loss of DNS will not impact availability of service simply because the computing infrastructure is already down.  On the other hand, if all the authoritative name servers for a zone reside in a single building, but hosts defined within the zone are located elsewhere, then the loss of the DNS will impact service.  The loss of service occurs because users (and other infrastructure devices and servers) will not be able to resolve host names for servers/services that are otherwise still operational at an unaffected site.\n\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-13045",
+      "title": "Private IP space is used within an Enclave without the use of split DNS to prevent private IPs from leaking into the public DNS system. ",
+      "description": "DNS operators should assume that any data placed in the DNS would be available to anyone connected to the Internet. Split DNS shall not be considered a mitigating factor or technique to deny DNS information to an attacker. Split DNS will continue to be required in one situation only: to prevent address space that is private (e.g., 10.0.0.0/24) or is otherwise concealed by some form of Network Address Translation from leaking into the public DNS system.",
+      "severity": "low"
+    },
+    {
+      "id": "V-13046",
+      "title": "The DNS database administrator has not documented the owner of each zone (or group of related records) and the date the zone was created, last modified, or verified.  This documentation will preferably reside in the zone file itself through comments, but if this is not feasible, the DNS database administrator will maintain a separate database for this purpose.",
+      "description": "A zone file should contain adequate documentation that would allow an IAO or newly assigned administrator to quickly learn the scope and structure of that zone.  In particular, each record (or related set of records, such as a group of LAN workstations) should be accompanied by a notation of the date the record was created, modified, or validated and record the owner’s name, title, and organizational affiliation.  The owner of a record is an individual with the authority to request that the record be modified or deleted.\n\nIf an organization cannot identify who is responsible for a host record, then there is no assurance that it is valid.  If invalid records are in a zone, then an adversary could potentially use their existence for improper purposes. ",
+      "severity": "low"
+    },
+    {
+      "id": "V-13047",
+      "title": "The name server software on production name servers is not BIND, Windows 2003 or later DNS, or alternatives with equivalent security functionality and support, configured in a manner to satisfy the general security requirements listed in the STIG. ",
+      "description": "If an organization runs DNS name server software other than BIND,  Windows 2003 DNS or later, or an equivalent alternative, such as Infoblox running BIND; it cannot benefit from assurance testing of those implementations of DNS.  As a result, there may be unknown vulnerabilities associated with the alternative product for which there are no compensating controls.  Moreover, there is no detailed security implementation guidance for other name server implementations, which makes it considerably harder to conduct reviews or self assessments.  An incomplete review means that an organization operates at a lower level of assurance than could have been realized with one of the approved products.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-13048",
+      "title": "Hosts outside an enclave can directly query or request a zone transfer from a name server that resides on the internal network (i.e., not in a DMZ).",
+      "description": "If external hosts are able to query a name server on the internal network, then there is the potential that an external adversary can obtain information about internal hosts that could assist the adversary in a network attack.  External hosts should never be able to learn about the internal network in this manner.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-13050",
+      "title": "The DNS architecture is not documented to include specific roles for each DNS server, the security controls in place, and what networks are able to query each server.",
+      "description": "Without current and accurate documentation, any changes to the network infrastructure may\njeopardize the network’s integrity. To assist in the management, auditing, and security of the\nnetwork, facility drawings and topology maps are a necessity; and those addressing critical network assets, such as the DNS server, are especially important. Topology maps (documentation) are important because they show the overall layout of the network infrastructure and where devices are\nphysically located. They also show the relationship and inter-connectivity between devices and\nwhere possible intrusive attacks (wire taps) could take place.\nAdditionally,  documentation along with diagrams of the network topology are required to be submitted to the Connection Approval Process (CAP) for approval to connect to the NIPRNet or SIPRNet. Depending on the command, service, or activity, additional approval may be required.",
+      "severity": "low"
+    },
+    {
+      "id": "V-13051",
+      "title": "The DNS server software is either installed on or enabled on an operating system that is no longer supported by the vendor.",
+      "description": null,
+      "severity": "high"
+    },
+    {
+      "id": "V-13052",
+      "title": "The SA has not subscribed to ISC's mailing list \"bind announce\" for updates on vulnerabilities and software notifications. ",
+      "description": "Whether running the latest version or software or an earlier version, the administrator should be aware of the vulnerabilities, exploits, security fixes, and patches for the version that is in operation in the enterprise.",
+      "severity": "low"
+    },
+    {
+      "id": "V-13053",
+      "title": "The contents of zones are not reviewed at least annually.",
+      "description": "DNS administrators must review the contents of their zones at least as often as annually for content or aggregation of content that may provide an adversary information that can potentially compromise operational security. This specifically includes names that provide an outsider some indication as to the function of the referenced system unless the function is obvious in the context of other standard DNS information (e.g., naming a DNS server as dns.zone.mil or an SMTP mail server as mail.zone.mil is not an OPSEC violation given that the functions of these servers are easily identifiable during DNS queries). The DNS administrator is the final adjudicator of the sensitivity of DNS information, in concert with the OPSEC processes of the organization, but should make a conscious decision to include such information based on operational need. NIST guidance includes specific guidelines that HINFO, RP and LOC records not be included in the zone.",
+      "severity": "low"
+    },
+    {
+      "id": "V-13313",
+      "title": "The underlying operating system of the DNS server is not in compliance with the appropriate OS STIG.",
+      "description": "A vulnerability in the underlying operating system of a DNS server could potentially impact not only the DNS server but the entire network infrastructure to include the Global Information Grid (GIG). ",
+      "severity": "medium"
+    },
+    {
+      "id": "V-13314",
+      "title": "A zone or name server does not have a backup administrator.",
+      "description": "If there is no backup DNS administrator, then there is nobody to assist during a security emergency when the primary administrator is unavailable.  In some cases, a backup administrator can also detect problems introduced by the first administrator before these problems are allowed to propagate.  Personnel redundancy is as important as technology redundancy for the DNS availability.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-14763",
+      "title": "The name server software on production name servers is not BIND, Windows 2003 or later DNS, or alternatives with equivalent vendor support, configured in a manner to satisfy the general security requirements listed in the STIG. The only currently approved alternative is CISCO CSS DNS.",
+      "description": "If an organization runs DNS name server software other than BIND, Windows 2003 DNS or later, or an equivalent alternative, it cannot benefit from assurance testing of those implementations of DNS. As a result, there may be unknown vulnerabilities associated with the alternative products for which there are no compensating controls. Moreover, there is no detailed security implementation guidance for other name server implementations, which makes it considerably harder to conduct reviews or self assessments. An incomplete review means that an organization operates at a lower level of assurance than could have been realized with one of the approved products.  Those products without vendor support can not be maintained at relevant security patch levels to assure the product has no vulnerabilities.",
+      "severity": "high"
+    },
+    {
+      "id": "V-4027",
+      "title": "Servers do not employ Host Based Intrusion Detection (HIDS).",
+      "description": "Servers without a HID may allow unauthorized access to go undetected and limit the ability of security personnel to stop malicious or unauthorized use of the device. In order to ensure that an attempted or existing attack goes unnoticed, the data from the HID must be monitored continuously.",
+      "severity": "medium"
+    }
+  ]
+}

data/standards/stig_domain_name_system_dns_security_requirements_guide.json

@@ -0,0 +1,599 @@
+{
+  "name": "stig_domain_name_system_dns_security_requirements_guide",
+  "date": "2015-01-05",
+  "description": "The DNS Security Requirements Guide (SRG) is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the NIST SP 800-53 rev 4, NIST SP 800-81 rev 2 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.",
+  "title": "Domain Name System (DNS) Security Requirements Guide",
+  "version": "2",
+  "item_syntax": "^\\w-\\d+$",
+  "section_separator": null,
+  "items": [
+    {
+      "id": "V-54777",
+      "title": "The DNS implementation must limit the number of concurrent sessions client connections to the number of allowed dynamic update clients.",
+      "description": "Limiting the number of concurrent sessions reduces the risk of Denial of Service (DoS) to the DNS implementation. \n\nName servers do not have direct user connections but accept client connections for queries. Original restriction on client connections should be high enough to prevent a self-imposed denial of service, after which the connections are monitored and fine-tuned to best meet the organization's specific requirements.\n\nPrimary name servers also make outbound connections to secondary name servers to provide zone transfers and accept inbound connection requests from clients wishing to provide a dynamic update. Primary name servers should explicitly limit zone transfers to only be made to designated secondary name servers. Because zone transfers involve the transfer of entire zones and use TCP connections, they place substantial demands on network resources relative to normal DNS queries. Errant or malicious frequent zone transfer requests on the name servers of the enterprise can overload the master zone server and result in DoS to legitimate users. Primary name servers should be configured to limit the hosts from which they will accept dynamic updates.\n\nAdditionally the number of concurrent clients, especially TCP clients, needs to be kept to a level that does not risk placing the system in a DoS state.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54781",
+      "title": "The DNS server implementation must be configured to provide audit record generation capability for DoD-defined auditable events within all DNS server components.",
+      "description": "Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. The actual auditing is performed by the OS/NDM, but the configuration to trigger the auditing is controlled by the DNS server.\n\nThe list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. \n\nThe DoD has defined the list of events for which the application will provide an audit record generation capability as the following: \n\n(i) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels);\n\n(ii) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; and\n\n(iii) All account creation, modification, disabling, and termination actions.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54783",
+      "title": "The DNS server implementation must be configured to provide audit record generation capability for DoD-defined auditable events within all DNS server components.",
+      "description": "Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. The actual auditing is performed by the OS/NDM, but the configuration to trigger the auditing is controlled by the DNS server.\n\nThe list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. \n\nThe DoD has defined the list of events for which the application will provide an audit record generation capability as the following: \n\n(i) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels);\n\n(ii) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; and\n\n(iii) All account creation, modification, disabling, and termination actions.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54785",
+      "title": "The DNS server implementation must produce audit records containing information to establish what type of events occurred.",
+      "description": "Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being performed on the system, where an event occurred, when an event occurred, and by whom the event was triggered, in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured DNS implementation. Without log records that aid in the establishment of what types of events occurred and when those events occurred, there is no traceability for forensic or analytical purposes, and the cause of events is severely hindered.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54787",
+      "title": "The DNS server implementation must produce audit records containing information to establish where the events occurred.",
+      "description": "Without establishing where events occurred, it is impossible to establish, correlate, and investigate the events relating to an incident. Associating information about where the event occurred within the application provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured application. In order to compile an accurate risk assessment and provide forensic analysis, it is essential for security personnel to know where events occurred, such as application components, modules, session identifiers, filenames, host names, and functionality.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54789",
+      "title": "The DNS server implementation must produce audit records containing information to establish the source of the events.",
+      "description": "Without establishing the source of the event, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack. Associating information about the source of the event within the application provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured application. \n\nIn addition to logging where events occur within the application, the application must also produce audit records that identify the application itself as the source of the event. In order to compile an accurate risk assessment and provide forensic analysis, it is essential for security personnel to know the source of the event, particularly in the case of centralized logging. In the case of centralized logging, the source would be the application name accompanied by the host or client name.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54791",
+      "title": "The DNS server implementation must produce audit records that contain information to establish the outcome of the events.",
+      "description": "Without information about the outcome of events, security personnel cannot make an accurate assessment about whether an attack was successful or if changes were made to the security state of the system.\n\nEvent outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred). As such, they also provide a means to measure the impact of an event and help authorized personnel to determine the appropriate response.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54793",
+      "title": "The DNS server implementation must generate audit records containing information that establishes the identity of any individual or process associated with the event.",
+      "description": "Without information that establishes the identity of the subjects (i.e., users or processes acting on behalf of users) associated with the events, security personnel cannot determine responsibility for the potentially harmful event.\n\nEvent identifiers (if authenticated or otherwise known) include, but are not limited to, user database tables, primary key values, user names, or process identifiers.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54795",
+      "title": "The DNS server implementations audit records must be backed up at least every seven days onto a different system or system component than the system or component being audited.",
+      "description": "Protection of log data includes assuring log data is not accidentally lost or deleted. Backing up audit records to a different system or onto separate media than the system being audited on a defined frequency helps to assure, in the event of a catastrophic system failure, the audit records will be retained. \n\nThis helps to ensure a compromise of the information system being audited does not also result in a compromise of the audit records.\n\nThis requirement only applies to applications that have a native backup capability for audit records. Operating system backup requirements cover applications that do not provide native backup functions.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54797",
+      "title": "The DNS server implementation must be configured to prohibit or restrict unapproved ports and protocols.",
+      "description": "In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems.\n\nApplications are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., email and web services); however, doing so increases risk over limiting the services provided by any one component.\n\nTo support the requirements and principles of least functionality, the application must support the organizational requirements by providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54799",
+      "title": "The DNS server implementation must uniquely identify the other DNS server before responding to a server-to-server transaction.",
+      "description": "Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. This applies to server-to-server (zone transfer) transactions only and is provided by TSIG/SIG(0), which enforces mutual server authentication using a key that is unique to each server pair (TSIG) or using PKI-based authentication (SIG(0)), thus uniquely identifying the other server.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54801",
+      "title": "The DNS server implementation, when using PKI-based authentication, must enforce authorized access to the corresponding private key.",
+      "description": "The cornerstone of the PKI is the private key used to encrypt or digitally sign information. If the private key is stolen, this will lead to the compromise of the authentication and non-repudiation gained through PKI because the attacker can use the private key to digitally sign documents and pretend to be the authorized user. Both the holders of a digital certificate and the issuing authority must protect the computers, storage devices, or whatever they use to keep the private keys. \n\nSIG(0) is used for server-to-server authentication for DNS transactions, and it uses PKI-based authentication. So, in cases where SIG(0) is being used instead of TSIG (which uses a shared key, not PKI-based authentication), this requirement is applicable.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54803",
+      "title": "The key file must be owned by the account under which the name server software is run.",
+      "description": "To enable zone transfer (requests and responses) through authenticated messages, it is necessary to generate a key for every pair of name servers. The key can also be used for securing other transactions, such as dynamic updates, DNS queries, and responses. The binary key string that is generated by most key generation utilities used with DNSSEC is Base64-encoded. TSIG is a string used to generate the message authentication hash stored in a TSIG RR and used to authenticate an entire DNS message.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54805",
+      "title": "Read/Write access to the key file must be restricted to the account that runs the name server software only.",
+      "description": "To enable zone transfer (requests and responses) through authenticated messages, it is necessary to generate a key for every pair of name servers. The key can also be used for securing other transactions, such as dynamic updates, DNS queries, and responses. The binary key string that is generated by most key generation utilities used with DNSSEC is Base64-encoded. TSIG is a string used to generate the message authentication hash stored in a TSIG RR and used to authenticate an entire DNS message.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54807",
+      "title": "A unique TSIG key must be generated for each pair of communicating hosts.",
+      "description": "To enable zone transfer (requests and responses) through authenticated messages, it is necessary to generate a key for every pair of name servers. The key also can be used for securing other transactions, such as dynamic updates, DNS queries, and responses. The binary key string that is generated by most key generation utilities used with DNSSEC is Base64-encoded. TSIG is a string used to generate the message authentication hash stored in a TSIG RR and used to authenticate an entire DNS message.\n\nThe process of authenticating the source of a message and its integrity through hash-based message authentication codes (HMAC) is specified through a set of DNS specifications known collectively as TSIG. The sender of the message uses the HMAC function to generate a MAC and sends this MAC along with the message to the receiver. The receiver, who shares the same secret key, uses the key and HMAC function used by the sender to compute the MAC on the received message. The receiver then compares the computed MAC with the received MAC; if the two values match, it provides assurance that the message has been received correctly and that the sender belongs to the community of users sharing the same secret key. Thus, message source authentication and integrity verification are performed in a single process. To enable zone transfer (requests and responses) through authenticated messages, it is necessary to generate a key for every pair of name servers. The key also can be used for securing other transactions, such as dynamic updates, DNS queries, and responses. The binary key string that is generated by most key generation utilities used with DNSSEC is Base64-encoded. TSIG is a string used to generate the message authentication hash stored in a TSIG RR and used to authenticate an entire DNS message.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54809",
+      "title": "Only the private key corresponding to the ZSK alone must be kept on the name server that does support dynamic updates.",
+      "description": "The private keys in the KSK and ZSK key pairs must be protected from unauthorized access. If possible, the private keys should be stored off-line (with respect to the Internet-facing, DNSSEC-aware name server) in a physically secure, non-network-accessible machine along with the zone file master copy. \n\nThis strategy is not feasible in situations in which the DNSSEC-aware name server has to support dynamic updates. To support dynamic update transactions, the DNSSEC-aware name server (which usually is a primary authoritative name server) has to have both the zone file master copy and the private key corresponding to the zone-signing key (ZSK-private) online to immediately update the signatures for the updated RRsets. The private key corresponding to the key-signing key (KSK-private) can still be kept off-line.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54811",
+      "title": "Signature generation using the KSK must be done off-line, using the KSK-private stored off-line.",
+      "description": "Security-relevant information is any information within information systems that can potentially impact the operation of security functions or the provision of security services in a manner that could result in failure to enforce system security policies or maintain the isolation of code and data. \n\nSecurity-relevant information includes, for example, file permissions, cryptographic key management information, configuration parameters for security services, and access control lists. Secure, non-operable system states include the times in which information systems are not performing mission/business-related processing (e.g., the system is off-line for maintenance, troubleshooting, boot-up, and shut down).",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54813",
+      "title": "The DNS server implementation must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.",
+      "description": "If maintenance tools are used by unauthorized personnel, they may accidentally or intentionally damage or compromise the system. The act of managing systems and applications includes the ability to access sensitive application information, such as system configuration details, diagnostic information, user information, and potentially sensitive application data. \n\nNonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Typically, strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include, for example, PKI where certificates are stored on a token protected by a password, passphrase, or biometric.\n\nThis requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system (e.g., the software implementing \"ping,\" \"ls,\" \"ipconfig,\" or the hardware and software implementing the monitoring port of an Ethernet switch).\n\nLack of authentication enables anyone to gain access to the network or possibly a network element that provides opportunity for intruders to compromise resources within the network infrastructure. Network access control mechanisms interoperate to prevent unauthorized access and to enforce the organization's security policy. Authorization for access to any network element requires an individual account identifier that has been approved, assigned, and configured on an authentication server. Authentication of all administrator accounts for all privilege levels must be accomplished using two or more factors that include the following:\n\n(i) something you know (e.g., password/PIN); \n(ii) something you have (e.g., cryptographic identification device, token); or \n(iii) something you are (e.g., biometric).",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54815",
+      "title": "A DNS server implementation must provide additional data origin artifacts along with the authoritative data the system returns in response to external name/address resolution queries.",
+      "description": "The underlying feature in the major threat associated with DNS query/response (i.e., forged response or response failure) is the integrity of DNS data returned in the response. The security objective is to verify the integrity of each response received. An integral part of integrity verification is to ensure that valid data has originated from the right source. Establishing trust in the source is called data origin authentication. \n\nThe security objectives—and consequently the security services—that are required for securing the DNS query/response transaction are data origin authentication and data integrity verification. \n\nThe specification for a digital signature mechanism in the context of the DNS infrastructure is in IETF’s DNSSEC standard. In DNSSEC, trust in the public key (for signature verification) of the source is established not by going to a third party or a chain of third parties (as in public key infrastructure [PKI] chaining), but by starting from a trusted zone (such as the root zone) and establishing the chain of trust down to the current source of response through successive verifications of signature of the public key of a child by its parent. The public key of the trusted zone is called the trust anchor.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54817",
+      "title": "A DNS server implementation must provide the means to indicate the security status of child zones.",
+      "description": "If name server replies are invalid or cannot be validated, many networking functions and communication would be adversely affected. With DNS, the presence of Delegation Signer (DS) records associated with child zones informs clients of the security status of child zones. These records are crucial to the DNSSEC chain of trust model. Each parent domain's DS record is used to verify the DNSKEY record in its subdomain, from the top of the DNS hierarchy down.\n\nA DNS server is an example of an information system providing name/address resolution service. Digital signatures and cryptographic keys are examples of additional artifacts. DNS resource records are examples of authoritative data. Applications other than the DNS, to map between host/service names and network addresses, must provide other means to assure the authenticity and integrity of response data. \n\nIn DNS, trust in the public key of the source is established by starting from a trusted name server and establishing the chain of trust down to the current source of response through successive verifications of signature of the public key of a child by its parent. \n\nA trust anchor is an authoritative entity represented via a public key and associated data. It is used in the context of public key infrastructures, X.509 digital certificates, and Domain Name System Security Extensions (DNSSEC). \n\nWhen there is a chain of trust, usually the top entity to be trusted becomes the trust anchor. A certification path starts with the subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate. In DNS, a trust anchor is a DNSKEY that is placed into a validating resolver so the validator can cryptographically validate the results for a given request back to a known public key (the trust anchor). \n\nAn example means to indicate the security status of child subspaces is through the use of delegation signer (DS) resource records in the DNS.\n\nPath validation is necessary for a relying party to make an informed trust decision when presented with any certificate not already explicitly trusted. Without path validation and a chain of trust, there can be no trust that the data integrity authenticity has been maintained during a transaction.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54819",
+      "title": "The validity period for the RRSIGs covering the DS RR for a zones delegated children must be no less than two days and no more than one week.",
+      "description": "The best way for a zone administrator to minimize the impact of a key compromise is by limiting the validity period of RRSIGs in the zone and in the parent zone. This strategy limits the time during which an attacker can take advantage of a compromised key to forge responses. An attacker that has compromised a ZSK can use that key only during the KSK's signature validity interval. An attacker that has compromised a KSK can use that key for only as long as the signature interval of the RRSIG covering the DS RR in the delegating parent. These validity periods should be short, which will require frequent re-signing.\n\nTo prevent the impact of a compromised KSK, a delegating parent should set the signature validity period for RRSIGs covering DS RRs in the range of a few days to 1 week. This re-signing does not require frequent rollover of the parent's ZSK, but scheduled ZSK rollover should still be performed at regular intervals.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54821",
+      "title": "The DNS server implementation must enforce approved authorizations for controlling the flow of information between DNS servers and between DNS servers and DNS clients based on DNSSEC policies.",
+      "description": "A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If information flow is not enforced based on approved authorizations, the system may become compromised. Information flow control regulates where information is allowed to travel within a system and between interconnected systems. The flow of all application information must be monitored and controlled so it does not introduce any unacceptable risk to the systems or data.\n\nApplication-specific examples of enforcement occurs in systems that employ rule sets or establish configuration settings that restrict information system services or provide a message filtering capability based on message content (e.g., implementing key word searches or using document characteristics).\n\nApplications providing information flow control must be able to enforce approved authorizations for controlling the flow of information between interconnected systems in accordance with applicable policy.\n\nWithin the context of DNS, this is applicable in terms of controlling the flow of DNS information between systems, such as DNS zone transfers.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54823",
+      "title": "A DNS server implementation must provide the means to enable verification of a chain of trust among parent and child domains (if the child supports secure resolution services).",
+      "description": "If name server replies are invalid or cannot be validated, many networking functions and communication would be adversely affected. With DNS, the presence of Delegation Signer (DS) records associated with child zones informs clients of the security status of child zones. These records are crucial to the DNSSEC chain of trust model. Each parent domain's DS record is used to verify the DNSKEY record in its subdomain, from the top of the DNS hierarchy down.\n\nA DNS server is an example of an information system providing name/address resolution service. Digital signatures and cryptographic keys are examples of additional artifacts. DNS resource records are examples of authoritative data. Applications other than the DNS to map between host/service names and network addresses must provide other means to assure the authenticity and integrity of response data.\n\nDNSSEC provides the means to verify integrity assurances for the host/service name to network address resolution information obtained through the service. By using the delegation signer (DS) resource records in the DNS, the security status of a child domain can be validated.  The DS resource record is used to identify the DNSSEC signing key of a delegated zone.\n\nStarting from a trusted name server (such as the root name server) and down to the current source of response through successive verifications of signature of the public key of a child by its parent, the chain of trust is established. The public key of the trusted name servers is called the trust anchor. After authenticating the source, the next process DNSSEC calls for is to authenticate the response. This requires that responses consist of not only the requested RRs but also an authenticator associated with them. In DNSSEC, this authenticator is the digital signature of a Resource Record (RR) Set. The digital signature of an RRSet is encapsulated through a special RRType called RRSIG. The DNS client using the trusted public key of the source (whose trust has just been established) then verifies the digital signature to detect if the response is valid or bogus.\n\nThis control enables the DNS to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service.  Without indication of the security status of a child domain and enabling verification of a chain of trust, integrity and availability of the DNS infrastructure cannot be assured.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54825",
+      "title": "The DNS implementation must protect the authenticity of communications sessions for zone transfers.",
+      "description": "DNS is a fundamental network service that is prone to various attacks, such as cache poisoning and man-in-the middle attacks. \n\nIf communication sessions are not provided appropriate validity protections, such as the employment of DNSSEC, the authenticity of the data cannot be guaranteed.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54827",
+      "title": "The DNS implementation must protect the authenticity of communications sessions for dynamic updates.",
+      "description": "DNS is a fundamental network service that is prone to various attacks, such as cache poisoning and man-in-the middle attacks. If communication sessions are not provided appropriate validity protections, such as the employment of DNSSEC, the authenticity of the data cannot be guaranteed.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54829",
+      "title": "The DNS implementation must protect the authenticity of communications sessions for queries.",
+      "description": "The underlying feature in the major threat associated with DNS query/response (i.e., forged response or response failure) is the integrity of DNS data returned in the response. An integral part of integrity verification is to ensure that valid data has originated from the right source. DNSSEC is required for securing the DNS query/response transaction by providing data origin authentication and data integrity verification through signature verification and the chain of trust.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54831",
+      "title": "The DNS server implementation must fail to a secure state if system initialization fails, shutdown fails, or aborts fail.",
+      "description": "Failure to a known safe state helps prevent systems from failing to a state that may cause loss of data or unauthorized access to system resources. Applications or systems that fail suddenly and with no incorporated failure state planning may leave the hosting system available but with a reduced security protection capability. Preserving information system state information also facilitates system restart and return to the operational mode of the organization with less disruption of mission-essential processes. \n\nIn general, application security mechanisms should be designed so that a failure will follow the same execution path as disallowing the operation. For example, security methods, such as isAuthorized(), isAuthenticated(), and validate(), should all return false if there is an exception during processing. If security controls can throw exceptions, they must be very clear about exactly what that condition means. \n\nAbort refers to stopping a program or function before it has finished naturally. The term abort refers to both requested and unexpected terminations.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54833",
+      "title": "In the event of a system failure, the DNS server implementation must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes.",
+      "description": "Failure to a known state can address safety or security in accordance with the mission/business needs of the organization. Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. Preserving application state information helps to facilitate application restart and return to the operational mode of the organization with less disruption to mission-essential processes.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54835",
+      "title": "The DNS server implementation must protect the confidentiality and integrity of secret/private cryptographic keys at rest and the integrity of DNS information at rest.",
+      "description": "Information at rest refers to the state of information when it is located on a secondary storage device within an organizational information system. Mobile devices, laptops, desktops, and storage devices can be either lost or stolen, and the contents of their data storage (e.g., hard drives and non-volatile memory) can be read, copied, or altered. Applications and application users generate information throughout the course of their application use.\n\nThe DNS server must protect the confidentiality and integrity of shared keys (for TSIG) and private keys (for SIG(0)) and must protect the integrity of DNS information. There is no need to protect the confidentiality of DNS information because it is accessible by all devices that can contact the server.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54837",
+      "title": "The DNS server implementation must prevent unauthorized and unintended information transfer via shared system resources.",
+      "description": "Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. \n\nThere may be shared resources with configurable protections (e.g., files on storage) that may be assessed on specific information system components. The purpose of this control is to prevent information, produced by the actions of a prior process (or the actions of a process acting on behalf of a prior user) from being available to any current DNS process that obtains access to a shared system resource (e.g., registers, main memory, secondary storage) after the resource has been released back to the information system. Control of information in shared resources is also referred to as object reuse.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54839",
+      "title": "The DNS server implementation must restrict the ability of individuals to use the DNS server to launch Denial of Service (DoS) attacks against other information systems.",
+      "description": "A DoS is a condition where a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.  Individuals of concern can include hostile insiders or external adversaries that have successfully breached the information system and are using the system as a platform to launch cyber attacks on third parties.\n\nApplications and application developers must take the steps needed to ensure users cannot use an authorized application to launch DoS attacks against other systems and networks. For example, applications may include mechanisms that throttle network traffic so users are not able to generate unlimited network traffic via the application. Limiting system resources that are allocated to any user to a bare minimum may also reduce the ability of users to launch some DoS attacks.\n\nWhen it comes to DoS attacks, most of the attention is paid to ensuring that systems and applications are not victims of these attacks. A DoS attack against the DNS infrastructure has the potential to cause a denial of service to all network users. As the DNS is a distributed backbone service of the Internet, numerous forms of attacks result in DoS, and they are still prevalent on the Internet today. Some potential DoS attacks against the DNS include malformed packet flood, spoofed source addresses, and distributed DoS, and the DNS can be exploited to launch amplification attacks upon other systems.\n\nWhile it is true that those accountable for systems want to ensure they are not affected by a DoS attack, they also need to ensure their systems and applications are not used to launch such an attack against others. To that end, a variety of technologies exist to limit the effects of DoS attacks, such as careful configuration of resolver and recursion functionality.\n\nDNS administrators must take the steps needed to ensure other systems and tools cannot use exploits to launch DoS attacks against other systems and networks. An example would be designing the DNS architecture to include mechanisms that throttle DNS traffic and resources so that users/other DNS servers are not able to generate unlimited DNS traffic via the application.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54841",
+      "title": "The DNS server implementation must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.",
+      "description": "A DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. \n\nIn the case of application DoS attacks, care must be taken when designing the application to ensure the application makes the best use of system resources. SQL queries have the potential to consume large amounts of CPU cycles if they are not tuned for optimal performance. Web services containing complex calculations requiring large amounts of time to complete can bog down if too many requests for the service are encountered within a short period of time. \n\nA denial of service (DoS) attack against the DNS infrastructure has the potential to cause a DoS to all network users. As the DNS is a distributed backbone service of the Internet, various forms of amplification attacks resulting in DoS, while utilizing the DNS, are still prevalent on the Internet today. Some potential DoS flooding attacks against the DNS include malformed packet flood, spoofed source addresses, and distributed DoS. Without the DNS, users and systems would not have the ability to perform simple name to IP resolution. \n\nConfiguring the DNS implementation to defend against cache poisoning, employing increased capacity and bandwidth, building redundancy into the DNS architecture, utilizing DNSSEC, limiting and securing recursive services, DNS black holes, etc., may reduce the susceptibility to some flooding types of DoS attacks.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54843",
+      "title": "The DNS server implementation must check the validity of all data inputs except those specifically identified by the organization.",
+      "description": "Invalid user input occurs when a user inserts data or characters into an application's data entry fields and the application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an application or information system compromise. Invalid input is one of the primary methods employed when attempting to compromise an application. \n\nChecking the valid syntax and semantics of information system inputs (e.g., character set, length, numerical range, and acceptable values) verifies that inputs match specified definitions for format and content. Software applications typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If software applications use attacker-supplied inputs to construct structured messages without properly encoding such messages, then the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. Consequently, the module or component that receives the tainted output will perform the wrong operations or otherwise interpret the data incorrectly. Prescreening inputs prior to passing to interpreters prevents the content from being unintentionally interpreted as commands. Input validation helps to ensure accurate and correct inputs and prevent attacks such as cross-site scripting and a variety of injection attacks.\n\nAttacks may be generated by entering invalid data into DNS transactions, in the hopes that the data will not be handled correctly and will allow a vulnerable condition to be exploited. To safeguard against this, all data entered in untrusted DNS transactions (e.g., DNS queries from external hosts) should be checked for validity before being processed further.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54845",
+      "title": "The DNS server implementation must be configured to generate audit records for failed security verification tests so that the ISSO and ISSM can be notified of the failures.",
+      "description": "Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. If personnel are not notified of failed security verification tests, they will not be able to take corrective action and the unsecure condition(s) will remain. Notifications provided by information systems include messages to local computer consoles, and/or hardware indications, such as lights.\n\nThe DNS server should be configured to generate audit records whenever a self-test fails. The OS/NDM is responsible for generating notification messages related to this audit record.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54847",
+      "title": "The DNS Name Server software must be configured to refuse queries for its version information.",
+      "description": "Each newer version of the name server software, especially the BIND software, generally is devoid of vulnerabilities found in earlier versions because it has design changes incorporated to take care of those vulnerabilities. Of course, these vulnerabilities have been exploited (i.e., some form of attack was launched), and sufficient information has been generated with respect to the nature of those exploits. Thus, it makes good business sense to run the latest version of name server software because theoretically it is the safest version. \n\nIn some installations, it may not be possible to switch over to the latest version of name server software immediately. If the version of the name server software is revealed in queries, this information may be used by attackers who are looking for a specific version of the software which has a discovered weakness. To prevent information about which version of name server software is running on a system, name servers should be configured to refuse queries for its version information.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54849",
+      "title": "The HINFO, RP, TXT and LOC RR types must not be used in the zone SOA.",
+      "description": "There are several types of RRs in the DNS that are meant to convey information to humans and applications about the network, hosts, or services. These RRs include the Responsible Person (RP) record, the Host Information (HINFO) record, the Location (LOC) record, and the catch-all text string resource record (TXT) [RFC1035]. Although these record types are meant to provide information to users in good faith, they also allow attackers to gain knowledge about network hosts before attempting to exploit them. For example, an attacker may query for HINFO records, looking for hosts that list an OS or platform known to have exploits. \n\nTherefore, great care should be taken before including these record types in a zone. In fact, they are best left out altogether.\n\nMore careful consideration should be taken with the TXT resource record type. A DNS administrator will have to decide if the data contained in a TXT RR constitutes an information leak or is a necessary piece of information. For example, several authenticated email technologies use TXT RR's to store email sender policy information such as valid email senders for a domain. These judgments will have to be made on a case-by-case basis.\n\nA DNS administrator should take care when including HINFO, RP, TXT, LOC, or other RR types that could divulge information that would be useful to an attacker or the external view of a zone if using split DNS. \n\nRRs such as HINFO and TXT provide information about software name and versions (e.g., for resources such as Web servers and mail servers) that will enable the well-equipped attacker to exploit the known vulnerabilities in those software versions and launch attacks against those resources.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54851",
+      "title": "The DNS server implementation must be configured to allow DNS administrators to change the auditing to be performed on all DNS server components, based on all selectable event criteria.",
+      "description": "If authorized individuals do not have the ability to modify auditing parameters in response to a changing threat environment, the organization may not be able to effectively respond, and important forensic information may be lost.\n\nThis requirement enables organizations to extend or limit auditing as necessary to meet organizational requirements. Auditing that is limited to conserve information system resources may be extended to address certain threat situations. In addition, auditing may be limited to a specific set of events to facilitate audit reduction, analysis, and reporting. Organizations can establish time thresholds in which audit actions are changed, for example, near real-time, within minutes, or within hours.\n\nFor a DNS server, the actual auditing is performed by the OS/NDM, but the configuration to trigger the auditing is controlled by the DNS server.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54853",
+      "title": "The DNS implementation must limit the number of concurrent sessions for zone transfers to the number of secondary name servers.",
+      "description": "Limiting the number of concurrent sessions reduces the risk of Denial of Service (DoS) to the DNS implementation. \n\nName servers do not have direct user connections but accept client connections for queries. Original restriction on client connections should be high enough to prevent a self-imposed denial of service, after which the connections are monitored and fine-tuned to best meet the organization's specific requirements.\n\nPrimary name servers also make outbound connection to secondary name servers to provide zone transfers and accept inbound connection requests from clients wishing to provide a dynamic update. Primary name servers should explicitly limit zone transfers to only be made to designated secondary name servers. Because zone transfers involve the transfer of entire zones and use TCP connections, they place substantial demands on network resources relative to normal DNS queries. Errant or malicious frequent zone transfer requests on the name servers of the enterprise can overload the master zone server and result in DoS to legitimate users. Primary name servers should be configured to limit the hosts from which they will accept dynamic updates.\n\nAdditionally, the number of concurrent clients, especially TCP clients, needs to be kept to a level that does not risk placing the system in a DoS state.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54855",
+      "title": "The DNS implementation must prohibit recursion on authoritative name servers.",
+      "description": "A potential vulnerability of DNS is that an attacker can poison a name server's cache by sending queries that will cause the server to obtain host-to-IP address mappings from bogus name servers that respond with incorrect information. Once a name server has been poisoned, legitimate clients may be directed to non-existent hosts (which constitutes a denial of service), or, worse, hosts that masquerade as legitimate ones to obtain sensitive data or passwords. \n\nTo guard against poisoning, name servers authoritative for .mil domains should be separated functionally from name servers that resolve queries on behalf of internal clients. Organizations may achieve this separation by dedicating machines to each function or, if possible, by running two instances of the name server software on the same machine: one for the authoritative function and the other for the resolving function. In this design, each name server process may be bound to a different IP address or network interface to implement the required segregation.\n\nDNSSEC ensures that the answer received when querying for name resolution actually comes from a trusted name server. Since DNSSEC is still far from being globally deployed external to DoD, and many resolvers either haven’t been updated or don’t support DNSSEC, maintaining cached zone data separate from authoritative zone data mitigates the gap until all DNS data is validated with DNSSEC. \n\nSince DNS forwarding of queries can be accomplished in some DNS applications without caching locally, DNS forwarding is the method to be used when providing external DNS resolution to internal clients.   ",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54857",
+      "title": "The DNS server implementation must require devices to re-authenticate for each zone transfer and dynamic update request connection attempt.",
+      "description": "Without re-authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.\n\nIn addition to the re-authentication requirements associated with session locks, organizations may require re-authentication of devices, including, but not limited to, the following other situations:\n(i) When authenticators change;\n(ii) When roles change;\n(iii) When security categories of information systems change;\n(iv) After a fixed period of time; or\n(v) Periodically.\n\nDNS does perform server authentication when DNSSEC or TSIG/SIG(0) are used, but this authentication is transactional in nature (each transaction has its own authentication performed). So this requirement is applicable for every server-to-server transaction request.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54861",
+      "title": "The DNS server implementation must authenticate the other DNS server before responding to a server-to-server transaction.",
+      "description": "Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Device authentication is a solution enabling an organization to manage devices. It is an additional layer of authentication ensuring only specific pre-authorized devices can access the system. \n\nThis requirement applies to server-to-server (zone transfer) transactions only and is provided by TSIG/SIG(0), which enforces mutual server authentication using a key that is unique to each server pair (TSIG) or using PKI-based authentication (SIG(0)).",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54863",
+      "title": "The DNS server implementation must authenticate another DNS server before establishing a remote and/or network connection using bidirectional authentication that is cryptographically based.",
+      "description": "Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk.\n\nThis requirement applies to server-to-server (zone transfer) transactions only and is provided by TSIG/SIG(0), which enforces mutual server authentication using a key that is unique to each server pair (TSIG) or using PKI-based authentication (SIG(0)).",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54865",
+      "title": "The DNS server implementation, for PKI-based authentication, must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.",
+      "description": "Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer authorized (users with revoked certificates). \n\nSIG(0) is used for server-to-server authentication for DNS transactions, and it uses PKI-based authentication. So, in cases where SIG(0) is being used instead of TSIG (which uses a shared key, not PKI-based authentication), this requirement is applicable.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54867",
+      "title": "A DNS server implementation must provide data origin artifacts for internal name/address resolution queries.",
+      "description": "The major threat associated with DNS forged responses or failures is the integrity of the DNS data returned in the response. The principle of DNSSEC is to mitigate this threat by providing data origin authentication, establishing trust in the source. This requirement enables remote clients to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. \n\nA DNS server is an example of an information system providing name/address resolution service. Digital signatures and cryptographic keys are examples of additional artifacts. DNS resource records are examples of authoritative data. Applications other than the DNS to map between host/service names and network addresses must provide other means to assure the authenticity and integrity of response data. \n\nIn the case of DNS, employ DNSSEC to provide an additional data origin and integrity artifacts along with the authoritative data the system returns in response to DNS name/address resolution queries.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54869",
+      "title": "A DNS server implementation must provide data integrity protection artifacts for internal name/address resolution queries.",
+      "description": "The major threat associated with DNS forged responses or failures is the integrity of the DNS data returned in the response. The principle of DNSSEC is to mitigate this threat by providing data origin authentication, establishing trust in the source. This requirement enables remote clients to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. \n\nA DNS server is an example of an information system providing name/address resolution service. Digital signatures and cryptographic keys are examples of additional artifacts. DNS resource records are examples of authoritative data. Applications other than the DNS to map between host/service names and network addresses must provide other means to assure the authenticity and integrity of response data. \n\nIn the case of DNS, employ DNSSEC to provide an additional data origin and integrity artifacts along with the authoritative data the system returns in response to DNS name/address resolution queries.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54871",
+      "title": "A DNS server implementation must provide additional integrity artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries.",
+      "description": "The major threat associated with DNS forged responses or failures is the integrity of the DNS data returned in the response. The principle of DNSSEC is to mitigate this threat by providing data origin authentication, establishing trust in the source. This requirement enables remote clients to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. \n\nA DNS server is an example of an information system providing name/address resolution service. Digital signatures and cryptographic keys are examples of additional artifacts. DNS resource records are examples of authoritative data. Applications other than the DNS to map between host/service names and network addresses must provide other means to assure the authenticity and integrity of response data. \n\nIn the case of DNS, employ DNSSEC to provide an additional data origin and integrity artifacts along with the authoritative data the system returns in response to DNS name/address resolution queries.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54873",
+      "title": "A DNS server implementation must request data origin authentication verification on the name/address resolution responses the system receives from authoritative sources.",
+      "description": "If data origin authentication and data integrity verification are not performed, the resultant response could be forged, it may have come from a poisoned cache, the packets could have been intercepted without the resolver's knowledge, or resource records could have been removed that would result in query failure or denial of service. Data origin authentication must be performed to thwart these types of attacks.\n\nEach client of name resolution services either performs this validation on its own or has authenticated channels to trusted validation providers. Information systems that provide name and address resolution services for local clients include, for example, recursive resolving or caching DNS servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54875",
+      "title": "A DNS server implementation must request data integrity verification on the name/address resolution responses the system receives from authoritative sources.",
+      "description": "If data origin authentication and data integrity verification are not performed, the resultant response could be forged, it may have come from a poisoned cache, the packets could have been intercepted without the resolver's knowledge, or resource records could have been removed that would result in query failure or denial of service. Data integrity verification must be performed to thwart these types of attacks.\n\nEach client of name resolution services either performs this validation on its own or has authenticated channels to trusted validation providers. Information systems that provide name and address resolution services for local clients include, for example, recursive resolving or caching DNS servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54877",
+      "title": "A DNS server implementation must perform data integrity verification on the name/address resolution responses the system receives from authoritative sources.",
+      "description": "If data origin authentication and data integrity verification are not performed, the resultant response could be forged, it may have come from a poisoned cache, the packets could have been intercepted without the resolver's knowledge, or resource records could have been removed that would result in query failure or denial of service. Data integrity verification must be performed to thwart these types of attacks.\n\nEach client of name resolution services either performs this validation on its own or has authenticated channels to trusted validation providers. Information systems that provide name and address resolution services for local clients include, for example, recursive resolving or caching DNS servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54885",
+      "title": "A DNS server implementation must perform data origin verification authentication on the name/address resolution responses the system receives from authoritative sources.",
+      "description": "If data origin authentication and data integrity verification are not performed, the resultant response could be forged, it may have come from a poisoned cache, the packets could have been intercepted without the resolver's knowledge, or resource records could have been removed which would result in query failure or denial of service. Data origin authentication verification must be performed to thwart these types of attacks.\n\nEach client of name resolution services either performs this validation on its own or has authenticated channels to trusted validation providers. Information systems that provide name and address resolution services for local clients include, for example, recursive resolving or caching DNS servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54887",
+      "title": "If the DNS server is using SIG(0), the DNS server implementation must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected transactions.",
+      "description": "Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DoD-approved CA, trust of this CA has not been established.\n\nThe DoD will only accept PKI certificates obtained from a DoD-approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of SSL/TLS certificates. \n\nSIG(0) relies on PKI-based authentication, so if SIG(0) is being used, this requirement is applicable.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54889",
+      "title": "The DNS server implementation must utilize cryptographic mechanisms to prevent unauthorized disclosure of non-DNS data stored on the DNS server.",
+      "description": "Applications handling data requiring \"data-at-rest\" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect the confidentiality of organizational information. The strength of mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). \n\nThe DNS server must protect the confidentiality of keys (for TSIG/SIG(0) and DNSSEC). There is no need to protect the confidentiality of DNS information because it is accessible by all devices that can contact the server.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54891",
+      "title": "The DNS server implementation must protect the integrity of transmitted information.",
+      "description": "Without protection of the transmitted information, confidentiality and integrity may be compromised since unprotected communications can be intercepted and either read or altered. \n\nCommunication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa.\n\nConfidentiality is not an objective of DNS, but integrity is. DNSSEC and TSIG/SIG(0) both digitally sign DNS information to authenticate its source and ensure its integrity.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54895",
+      "title": "The DNS server implementation must implement cryptographic mechanisms to detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS).",
+      "description": "Encrypting information for transmission protects information from unauthorized disclosure and modification. Cryptographic mechanisms implemented to protect information integrity include, for example, cryptographic hash functions which have common application in digital signatures, checksums, and message authentication codes. \n\nConfidentiality is not an objective of DNS, but integrity is. DNSSEC and TSIG/SIG(0) both digitally sign DNS information to authenticate its source and ensure its integrity.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54897",
+      "title": "The DNS server implementation must maintain the integrity of information during preparation for transmission.",
+      "description": "Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information.\n\nConfidentiality is not an objective of DNS, but integrity is. DNS is responsible for maintaining the integrity of DNS information while it is being prepared for transmission.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54899",
+      "title": "The DNS server implementation must maintain the integrity of information during reception.",
+      "description": "Information can be either unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information.\n\nConfidentiality is not an objective of DNS, but integrity is. DNS is responsible for maintaining the integrity of DNS information while it is being received.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54901",
+      "title": "The DNS server implementation must behave in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received.",
+      "description": "A common vulnerability of applications is unpredictable behavior when invalid inputs are received. This requirement guards against adverse or unintended system behavior caused by invalid inputs, where information system responses to the invalid input may be disruptive or cause the system to fail into an unsafe state. The behavior will be derived from the organizational and system requirements and includes, but is not limited to, notification of the appropriate personnel, creating an audit record, and rejecting invalid input. \n\nAttacks may be generated by entering invalid data into DNS transactions, in the hopes that the data will not be handled correctly and will allow a vulnerable condition to be exploited. To safeguard against this, all untrusted data entered in DNS transactions (e.g., DNS queries) should be checked for validity before being processed further.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54903",
+      "title": "The DNS server implementation must follow procedures to re-role a secondary name server as the master name server should the master name server permanently lose functionality.",
+      "description": "Failing to an unsecure condition negatively impacts application security and can lead to system compromise. Failure conditions include, for example, loss of communications among critical system components or between system components and operational facilities. Fail-safe procedures include, for example, alerting operator personnel and providing specific instructions on subsequent steps to take (e.g., do nothing, reestablish system settings, shut down processes, restart the system, or contact designated organizational personnel).\n\nIf a component such as the DNSSEC or TSIG/SIG(0) signing capabilities were to fail, the DNS server should shut itself down to prevent continued execution without the necessary security components in place. Transactions such as zone transfers would not be able to work correctly anyway in this state.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54905",
+      "title": "The DNS server implementation must perform verification of the correct operation of security functions: upon system start-up and/or restart; upon command by a user with privileged access; and/or every 30 days.",
+      "description": "Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. Without verification, security functions may not operate correctly and this failure may go unnoticed. \n\nNotifications provided by information systems include, for example, electronic alerts to system administrators, messages to local computer consoles, and/or hardware indications, such as lights.\n\nThe DNS server should perform self-tests, such as at server start-up, to confirm that its security functions are working properly.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54907",
+      "title": "The DNS server implementation must log the event and notify the system administrator when anomalies in the operation of the signed zone transfers are discovered.",
+      "description": "Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. Notifications provided by information systems include messages to local computer consoles, and/or hardware indications, such as lights. \n\nIf anomalies are not acted upon, security functions may fail to secure the system. \n\nThe DNS server does not have the capability of shutting down or restarting the information system. The DNS server can be configured to generate audit records when anomalies are discovered, and the OS/NDM can then trigger notification messages to the system administrator based on the presence of those audit records.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54909",
+      "title": "The DNS implementation must generate audit records for the success and failure of start and stop of the name server service or daemon.",
+      "description": "Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being performed on the system, where an event occurred, when an event occurred, and by whom the event was triggered, in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, to recognize resource utilization or capacity thresholds, or to simply identify an improperly configured DNS system. If auditing is not comprehensive, it will not be useful for intrusion monitoring, security investigations, and forensic analysis.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54911",
+      "title": "The DNS implementation must generate audit records for the success and failure of all name server events.",
+      "description": "Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being performed on the system, where an event occurred, when an event occurred, and by whom the event was triggered, in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured DNS system. If auditing is not comprehensive, it will not be useful for intrusion monitoring, security investigations, and forensic analysis.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54915",
+      "title": "The DNS server must implement NIST FIPS-validated cryptography for provisioning digital signatures, generating cryptographic hashes, and protecting unclassified information requiring confidentiality.",
+      "description": "Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The application must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54917",
+      "title": "The salt value for zones signed using NSEC3 RRs must be changed every time the zone is completely re-signed.",
+      "description": "NSEC3 RRs contain other options than just the (hashed) next name and RRType bitmap. There are also 2 values associated with the NSEC3 RR: the iterations (number of times each name is hashed) and the salt (string appended to each name before hashing). These values are configurable during signing and are used to increase the work necessary by an attacker. Both values should be changed on a regular basis to maintain protection against zone enumeration.\n\nThe salt value should be changed every time the entire zone is re-signed. The salt value should be a random string with a length small enough to ensure that appending the salt value to the domain name does not result in a FQDN considered too long for the DNS protocol (a single label in the DNS protocol can be 256 octets). A value between 1 - 15 octets would be acceptable for the majority of cases. Note that zones that are dynamically re-signed as needed may not be able to change the salt for NSEC3 RRs as an automatic process. In these cases, the salt rollover procedure is similar to the key algorithm rollover procedure in that the NSEC3 RR chain with the new salt is generated first (ending with the NSEC3PARAM RR) before removing the old (outgoing) NSEC3 chain.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54919",
+      "title": "The validity period for the RRSIGs covering a zones DNSKEY RRSet must be no less than two days and no more than one week.",
+      "description": "The best way for a zone administrator to minimize the impact of a key compromise is by limiting the validity period of RRSIGs in the zone and in the parent zone. This strategy limits the time during which an attacker can take advantage of a compromised key to forge responses. An attacker that has compromised a ZSK can use that key only during the KSK's signature validity interval. An attacker that has compromised a KSK can use that key for only as long as the signature interval of the RRSIG covering the DS RR in the delegating parent. These validity periods should be short, which will require frequent re-signing.\n\nTo minimize the impact of a compromised ZSK, a zone administrator should set a signature validity period of 1 week for RRSIGs covering the DNSKEY RRSet in the zone (the RRSet that contains the ZSK and KSK for the zone). The DNSKEY RRSet can be re-signed without performing a ZSK rollover, but scheduled ZSK rollover should still be performed at regular intervals.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54921",
+      "title": "NSEC3 must be used for all internal DNS zones.",
+      "description": "To ensure that RRs associated with a query are really missing in a zone file and have not been removed in transit, the DNSSEC mechanism provides a means for authenticating the nonexistence of an RR. It generates a special RR called an NSEC (or NSEC3) RR that lists the RRTypes associated with an owner name as well as the next name in the zone file. It sends this special RR, along with its signatures, to the resolving name server. By verifying the signature, a DNSSEC-aware resolving name server can determine which authoritative owner name exists in a zone and which authoritative RRTypes exist at those owner names.\n\nIETF's design criteria consider DNS data to be public. Confidentiality is not one of the security goals of DNSSEC. DNSSEC is not designed to directly protect against denial-of-service threats but does so indirectly by providing message integrity and source authentication. An artifact of how DNSSEC performs negative responses allows a client to map all the names in a zone (zone walking). \n\nA zone which contains zone data that the administrator does not want to be made public should use the NSEC3 RR option for providing authenticated denial of existence.\n\n\n\nIf DNSSEC is enabled for a server, the ability to verify a particular server which may attempt to update the DNS server actually exists. This is done through the use of NSEC3 records to provide an \"authenticated denial of existence\" for specific systems whose addresses indicate that they lie within a particular zone.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54923",
+      "title": "The DNS implementation must ensure each NS record in a zone file points to an active name server authoritative for the domain specified in that record.",
+      "description": "Poorly constructed NS records pose a security risk because they create conditions under which an adversary might be able to provide the missing authoritative name services that are improperly specified in the zone file. The adversary could issue bogus responses to queries that clients would accept because they learned of the adversary's name server from a valid authoritative name server, one that need not be compromised for this attack to be successful. The list of slave servers must remain current within 72 hours of any changes to the zone architecture that would affect the list of slaves. If a slave server has been retired or is not operational but remains on the list, then an adversary might have a greater opportunity to impersonate that slave without detection, rather than if the slave were actually online. For example, the adversary may be able to spoof the retired slave's IP address without an IP address conflict, which would not be likely to occur if the true slave were active.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54925",
+      "title": "The two files generated by the dnssec-keygen program must be made accessible only to the server administrator account, or deleted, after they have been copied to the key file in the name server.",
+      "description": "To enable zone transfer (requests and responses) through authenticated messages, it is necessary to generate a key for every pair of name servers. The key also can be used for securing other transactions, such as dynamic updates, DNS queries, and responses. The binary key string that is generated by most key generation utilities used with DNSSEC is Base64-encoded. ATSIG is a string used to generate the message authentication hash stored in a TSIG RR and used to authenticate an entire DNS message.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54927",
+      "title": "All authoritative name servers for a zone must be located on different network segments.",
+      "description": "Most enterprises have an authoritative primary server and a host of authoritative secondary name servers. It is essential that these authoritative name servers for an enterprise be located on different network segments. This dispersion ensures the availability of an authoritative name server not only in situations in which a particular router or switch fails but also during events involving an attack on an entire network segment.\n\nA network administrator may choose to use a \"hidden\" master authoritative server and only have secondary servers visible on the network. A hidden master authoritative server is an authoritative DNS server whose IP address does not appear in the name server set for a zone. If the master authoritative name server is \"hidden\", a secondary authoritative name server may reside on the same network as the hidden master.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54929",
+      "title": "All authoritative name servers for a zone must have the same version of zone information.",
+      "description": "The only protection approach for content control of DNS zone file is the use of a zone file integrity checker. The effectiveness of integrity checking using a zone file integrity checker depends upon the database of constraints built into the checker. The deployment process consists of developing these constraints with the right logic, and the only determinant of the truth value of these logical predicates is the parameter values for certain key fields in the format of various RRTypes.\n\nThe serial number in the SOA RDATA is used to indicate to secondary name servers that a change to the zone has occurred and a zone transfer should be performed. It should always be increased whenever a change is made to the zone data. DNS NOTIFY must be enabled on the master authoritative name server.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54931",
+      "title": "An authoritative name server must be configured to enable DNSSEC Resource Records.",
+      "description": "The specification for a digital signature mechanism in the context of the DNS infrastructure is in IETF's DNSSEC standard.  In DNSSEC, trust in the public key (for signature verification) of the source is established not by going to a third party or a chain of third parties (as in public key infrastructure [PKI] chaining), but by starting from a trusted zone (such as the root zone) and establishing the chain of trust down to the current source of response through successive verifications of signature of the public key of a child by its parent. The public key of the trusted zone is called the trust anchor. After authenticating the source, the next process DNSSEC calls for is to authenticate the response. DNSSEC mechanisms involve two main processes: sign and serve, and verify signature.\n\nBefore a DNSSEC-signed zone can be deployed, a name server must be configured to enable DNSSEC processing.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54933",
+      "title": "For zones split between the external and internal sides of a network, the RRs for the external hosts must be separate from the RRs for the internal hosts.",
+      "description": "Authoritative name servers for an enterprise may be configured to receive requests from both external and internal clients. \n\nExternal clients need to receive RRs that pertain only to public services (public Web server, mail server, etc.) \n\nInternal clients need to receive RRs pertaining to public services as well as internal hosts. \n\nThe zone information that serves the RRs on both the inside and the outside of a firewall should be split into different physical files for these two types of clients (one file for external clients and one file for internal clients).",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54935",
+      "title": "In a split DNS configuration, where separate name servers are used between the external and internal networks, the external name server must be configured to not be reachable from inside resolvers.",
+      "description": "Instead of having the same set of authoritative name servers serve different types of clients, an enterprise could have two different sets of authoritative name servers. \n\nOne set, called external name servers, can be located within a DMZ; these would be the only name servers that are accessible to external clients and would serve RRs pertaining to hosts with public services (Web servers that serve external Web pages or provide B2C services, mail servers, etc.) \n\nThe other set, called internal name servers, is to be located within the firewall and should be configured so they are not reachable from outside and hence provide naming services exclusively to internal clients.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54937",
+      "title": "In a split DNS configuration, where separate name servers are used between the external and internal networks, the internal name server must be configured to not be reachable from outside resolvers.",
+      "description": "Instead of having the same set of authoritative name servers serve different types of clients, an enterprise could have two different sets of authoritative name servers. \n\nOne set, called external name servers, can be located within a DMZ; these would be the only name servers that are accessible to external clients and would serve RRs pertaining to hosts with public services (Web servers that serve external Web pages or provide B2C services, mail servers, etc.) \n\nThe other set, called internal name servers, is to be located within the firewall and should be configured so they are not reachable from outside and hence provide naming services exclusively to internal clients.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54939",
+      "title": "Primary authoritative name servers must be configured to only receive zone transfer requests from specified secondary name servers.",
+      "description": "Authoritative name servers (especially primary name servers) should be configured with an allow-transfer access control substatement designating the list of hosts from which zone transfer requests can be accepted. These restrictions address the denial-of-service threat and potential exploits from unrestricted dissemination of information about internal resources. Based on the need-to-know, the only name servers that need to refresh their zone files periodically are the secondary name servers. Zone transfer from primary name servers should be restricted to secondary name servers. The zone transfer should be completely disabled in the secondary name servers. The address match list argument for the allow-transfer substatement should consist of IP addresses of secondary name servers and stealth secondary name servers.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54941",
+      "title": "The DNS implementation must be conformant to the IETF DNS specification.",
+      "description": "Any DNS implementation must be designed to be able to conform to the Internet Engineering Task Force (IETF) specification. DoD utilizes many different DNS servers, and it is essential that core capabilities of all are compatible. DNS servers that do not provide services compliant to the DNS RFCs may cause denial of service issues.\n\nThe server must be compliant to the IETF standard so as to provide the right balance between performance and integrity of the DNS system.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54943",
+      "title": "The DNS implementation must enforce a Discretionary Access Control (DAC) policy that limits propagation of access rights.",
+      "description": "Discretionary Access Control (DAC) is based on the premise that individual users are \"owners\" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. In a DNS implementation, DAC should be granted to a minimal number of individuals and objects because DNS does not interact directly with users and users do not store and share data with the DNS application directly.\n\nThe primary objective of DNS authentication and access control is the integrity of DNS records; only authorized personnel must be able to create and modify resource records, and name servers should only accept updates from authoritative master servers for the relevant zones. Integrity is best assured through authentication and access control features within the name server software and the file system the name server resides on. In order to protect the zone files and configuration data, which should only be accessed by the name service or an administrator, access controls need to be implemented on files, and rights should not be easily propagated to other users. Lack of a stringent access control policy places the DNS infrastructure at risk to malicious persons and attackers, in addition to potential denial of service to network resources.\n\nDAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. DAC models have the potential for the access controls to propagate without limit, resulting in unauthorized access to said objects.\n\nWhen applications provide a DAC mechanism, the DNS implementation must be able to limit the propagation of those access rights.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54945",
+      "title": "The DNS implementation must implement internal/external role separation.",
+      "description": "DNS servers with an internal role only process name/address resolution requests from within the organization (i.e., internal clients). DNS servers with an external role only process name/address resolution information requests from clients external to the organization (i.e., on the external networks, including the Internet). The set of clients that can access an authoritative DNS server in a particular role is specified by the organization using address ranges, explicit access control lists, etc. In order to protect internal DNS resource information, it is important to isolate the requests to internal DNS servers. Separating internal and external roles in DNS prevents address space that is private (e.g., 10.0.0.0/24) or is otherwise concealed by some form of Network Address Translation from leaking into the public DNS system.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54947",
+      "title": "The DNS must utilize valid root name servers in the local root zone file.",
+      "description": "All caching name servers must be authoritative for the root zone because, without this starting point, they would have no knowledge of the DNS infrastructure and thus would be unable to respond to any queries. The security risk is that an adversary could change the root hints and direct the caching name server to a bogus root server. At that point, every query response from that name server is suspect, which would give the adversary substantial control over the network communication of the name servers' clients. When authoritative servers are sent queries for zones that they are not authoritative for, and they are configured as a non-caching server (as recommended), they can either be configured to return a referral to the root servers or they can be configured to refuse to answer the query. The recommendation is to configure authoritative servers to refuse to answer queries for any zones for which they are not authoritative. This is more efficient for the server and allows it to spend more of its resources doing what its intended purpose is, answering authoritatively for its zone.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54949",
+      "title": "The DNS name server software must be at the latest version.",
+      "description": "Each newer version of the name server software, especially the BIND software, generally is devoid of vulnerabilities found in earlier versions because it has design changes incorporated to take care of those vulnerabilities. These vulnerabilities have been exploited (i.e., some form of attack was launched), and sufficient information has been generated with respect to the nature of those exploits. It makes good business sense to run the latest version of name server software because theoretically it is the safest version. Even if the software is the latest version, it is not safe to run it in default mode. The security administrator should always configure the software to run in the recommended secure mode of operation after becoming familiar with the new security settings for the latest version.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54951",
+      "title": "The DNS Name Server software must run with restricted privileges.",
+      "description": "Failure to provide logical access restrictions associated with changes to application configuration may have significant effects on the overall security of the system. When dealing with access restrictions pertaining to change control, it should be noted that any changes to the hardware, software, and/or firmware components of the information system and/or application can have significant effects on the overall security of the system. Accordingly, only qualified and authorized individuals should be allowed to obtain access to application components for the purposes of initiating changes, including upgrades and modifications. \n\nLogical access restrictions include, for example, controls that restrict access to workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover).\n\nIf the name server software is run as a privileged user (e.g., root in Unix systems), any break-in into the software can have disastrous consequences in terms of resources resident in the name server platform. Specifically, a hacker who breaks into the software acquires unrestricted access and therefore can execute any commands or modify or delete any files. It is necessary to run the name server software as a non-privileged user with access restricted to specified directories to contain damages resulting from break-in.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54953",
+      "title": "The IP address for hidden master authoritative name servers must not appear in the name servers set in the zone database.",
+      "description": "A hidden master authoritative server is an authoritative DNS server whose IP address does not appear in the name server set for a zone.  All of the name servers that do appear in the zone database as designated name servers get their zone data from the hidden master via a zone transfer request. In effect, all visible name servers are actually secondary slave servers. This prevents potential attackers from targeting the master name server because its IP address may not appear in the zone database.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54955",
+      "title": "The platform on which the name server software is hosted must be configured to respond to DNS traffic only.",
+      "description": "OS configuration practices as issued by the US Computer Emergency Response Team (US CERT) and the National Institute of Standards and Technology's (NIST's) National Vulnerability Database (NVD), based on identified vulnerabilities that pertain to the application profile into which the name server software fits, should be always followed. In particular, hosts that run the name server software should not provide any other services and therefore should be configured to respond to DNS traffic only. In other words, the only allowed incoming ports/protocols to these hosts should be 53/udp and 53/tcp. Outgoing DNS messages should be sent from a random port to minimize the risk of an attacker's guessing the outgoing message port and sending forged replies.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54957",
+      "title": "The platform on which the name server software is hosted must be configured to send outgoing DNS messages from a random port.",
+      "description": "OS configuration practices as issued by the US Computer Emergency Response Team (US CERT) and the National Institute of Standards and Technology's (NIST's) National Vulnerability Database (NVD), based on identified vulnerabilities that pertain to the application profile into which the name server software fits, should be always followed. In particular, hosts that run the name server software should not provide any other services and therefore should be configured to respond to DNS traffic only. In other words, the only allowed incoming ports/protocols to these hosts should be 53/udp and 53/tcp. \n\nOutgoing DNS messages should be sent from a random port to minimize the risk of an attacker guessing the outgoing message port and sending forged replies.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54959",
+      "title": "The private key corresponding to the ZSK, stored on name servers accepting dynamic updates, must have appropriate directory/file-level access control list-based or cryptography-based protections.",
+      "description": "The private keys in the KSK and ZSK key pairs must be protected from unauthorized access. If possible, the private keys should be stored off-line (with respect to the Internet-facing, DNSSEC-aware name server) in a physically secure, non-network-accessible machine along with the zone file master copy. \n\nThis strategy is not feasible in situations in which the DNSSEC-aware name server has to support dynamic updates. To support dynamic update transactions, the DNSSEC-aware name server (which usually is a primary authoritative name server) has to have both the zone file master copy and the private key corresponding to the zone-signing key (ZSK-private) online to immediately update the signatures for the updated RRsets. The private key corresponding to the key-signing key (KSK-private) can still be kept off-line.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54961",
+      "title": "The private keys corresponding to both the ZSK and the KSK must not be kept on the DNSSEC-aware primary authoritative name server when the name server does not support dynamic updates.",
+      "description": "The private keys in the KSK and ZSK key pairs must be protected from unauthorized access. If possible, the private keys should be stored off-line (with respect to the Internet-facing, DNSSEC-aware name server) in a physically secure, non-network-accessible machine along with the zone file master copy. \n\nThis strategy is not feasible in situations in which the DNSSEC-aware name server has to support dynamic updates. To support dynamic update transactions, the DNSSEC-aware name server (which usually is a primary authoritative name server) has to have both the zone file master copy and the private key corresponding to the zone-signing key (ZSK-private) online to immediately update the signatures for the updated RRsets. The private key corresponding to the key-signing key (KSK-private) can still be kept off-line.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54963",
+      "title": "A zone file must not include resource records that resolve to a fully qualified domain name residing in another zone.",
+      "description": "If a name server were able to claim authority for a resource record in a domain for which it was not authoritative, this would pose a security risk. In this environment, an adversary could use illicit control of a name server to impact IP address resolution beyond the scope of that name server (i.e., by claiming authority for records outside of that server's zones). Fortunately, all but the oldest versions of BIND and most other DNS implementations do not allow for this behavior. Nevertheless, the best way to eliminate this risk is to eliminate from the zone files any records for hosts in another zone.\n\nThe exceptions are glue records supporting zone delegations, CNAME records supporting a system migration, or CNAME records that point to third-party Content Delivery Networks (CDN) or cloud computing platforms.  In the case of third-party CDNs or cloud offerings, an approved mission need must be demonstrated.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54965",
+      "title": "CNAME records must not point to a zone with lesser security for more than six months.",
+      "description": "The use of CNAME records for exercises, tests, or zone-spanning aliases should be temporary (e.g., to facilitate a migration). When a host name is an alias for a record in another zone, an adversary has two points of attack: the zone in which the alias is defined and the zone authoritative for the alias's canonical name. This configuration also reduces the speed of client resolution because it requires a second lookup after obtaining the canonical name. Furthermore, in the case of an authoritative name server, this information is promulgated throughout the enterprise to caching servers and thus compounds the vulnerability.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54967",
+      "title": "All authoritative name servers for a zone must be geographically disbursed.",
+      "description": "In addition to network-based dispersion, authoritative name servers should be dispersed geographically as well. In other words, in addition to being located on different network segments, the authoritative name servers should not all be located within the same building. One approach that some organizations follow is to locate some authoritative name servers in their own premises and others in their ISPs' data centers or in partnering organizations.\n\nA network administrator may choose to use a \"hidden\" master authoritative server and only have secondary servers visible on the network. A hidden master authoritative server is an authoritative DNS server whose IP address does not appear in the name server set for a zone.  If the master authoritative name server is \"hidden\", a secondary authoritative name server may reside in the same building as the hidden master.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54969",
+      "title": "The DNS server implementation must, when a component failure is detected, activate a notification to the system administrator.",
+      "description": "Predictable failure prevention requires organizational planning to address system failure issues. If components key to maintaining systems security fail to function, the system could continue operating in an insecure state. The organization must be prepared and the application must support requirements that specify if the application must alarm for such conditions and/or automatically shut down the application or the system. \n\nThis can include conducting a graceful application shutdown to avoid losing information. Automatic or manual transfer of components from standby to active mode can occur, for example, upon detection of component failures.\n\nIf a component such as the DNSSEC or TSIG/SIG(0) signing capabilities were to fail, the DNS server should shut itself down to prevent continued execution without the necessary security components in place. Transactions such as zone transfers would not be able to work correctly anyway in this state.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54971",
+      "title": "The DNS server implementation must strongly bind the identity of the DNS server with the DNS information.",
+      "description": "Weakly bound credentials can be modified without invalidating the credential; therefore, non-repudiation can be violated.\n\nThis requirement supports audit requirements that provide organizational personnel with the means to identify who produced specific information in the event of an information transfer. Organizations and/or data owners determine and approve the strength of the binding between the information producer and the information based on the security category of the information and relevant risk factors.\n\nDNSSEC and TSIG/SIG(0) both use digital signatures to establish the identity of the producer of particular pieces of information.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54973",
+      "title": "The DNS server implementation must provide the means for authorized individuals to determine the identity of the source of the DNS server-provided information.",
+      "description": "Without a means for identifying the individual that produced the information, the information cannot be relied upon. Identifying the validity of information may be delayed or deterred.\n\nThis requirement provides organizational personnel with the means to identify who produced specific information in the event of an information transfer. DNSSEC and TSIG/SIG(0) both use digital signatures to establish the identity of the producer of particular pieces of information. These signatures can be examined and verified to determine the identity of the producer of the information.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54975",
+      "title": "The DNS server implementation must validate the binding of the other DNS servers identity to the DNS information for a server-to-server transaction (e.g., zone transfer).",
+      "description": "Validation of the binding of the information prevents the modification of information between production and review. The validation of bindings can be achieved, for example, by the use of cryptographic checksums. Validations must be performed automatically.\n\nDNSSEC and TSIG/SIG(0) technologies are not effective unless the digital signatures they generate are validated to ensure that the information has not been tampered with and that the producer's identity is legitimate.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54977",
+      "title": "In the event of an error when validating the binding of another DNS servers identity to the DNS information, the DNS server implementation must log the event and send notification to the DNS administrator.",
+      "description": "Failing to act on the validation errors may result in the use of invalid, corrupted, or compromised information. The validation of bindings can be achieved, for example, by the use of cryptographic checksums. Validations must be performed automatically.\n\nAt a minimum, the application must log the validation error. However, more stringent actions can be taken based on the security posture and value of the information. The organization should consider the system's environment and impact of the errors when defining the actions. Additional examples of actions include automated notification to administrators, halting system process, or halting the specific operation.\n\nThe DNS server should audit all failed attempts at server authentication through DNSSEC and TSIG/SIG(0). The actual auditing is performed by the OS/NDM but the configuration to trigger the auditing is controlled by the DNS server.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54979",
+      "title": "Digital signature algorithm used for DNSSEC-enabled zones must be FIPS-compatible.",
+      "description": "The choice of digital signature algorithm will be based on recommended algorithms in well-known standards. NIST's Digital Signature Standard (DSS) [FIPS186] provides three algorithm choices:\n* Digital Signature Algorithm (DSA)\n* RSA\n* Elliptic Curve DSA (ECDSA).\nOf these three algorithms, RSA and DSA are more widely available and hence are considered candidates of choice for DNSSEC. In terms of performance, both RSA and DSA have comparable signature generation speeds, but DSA is much slower for signature verification. Hence, RSA is the recommended algorithm as far as this guideline is concerned. RSA with SHA-1 is currently the only cryptographic algorithm mandated to be implemented with DNSSEC, although other algorithm suites (i.e. RSA/SHA-256, ECDSA) are also specified. It can be expected that name servers and clients will be able to use the RSA algorithm at the minimum. It is suggested that at least one ZSK for a zone use the RSA algorithm.\nNIST's Secure Hash Standard (SHS) (FIPS 180-3) specifies SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512 as approved hash algorithms to be used as part of the algorithm suite for generating digital signatures using the digital signature algorithms in NIST's DSS[FIPS186]. It is expected that there will be support for Elliptic Curve Cryptography in the DNSSEC. The migration path for USG DNSSEC operation will be to ECDSA (or similar) from RSA/SHA-1 and RSA/SHA-256 before September 30th, 2015.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-55225",
+      "title": "The DNS server implementation must produce audit records containing information to establish when (date and time) the events occurred.",
+      "description": "Without establishing when events occurred, it is impossible to establish, correlate, and investigate the events relating to an incident. \n\nAssociating event types with detected events in the application and audit logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured application. In order to compile an accurate risk assessment and provide forensic analysis, it is essential for security personnel to know when events occurred (date and time).",
+      "severity": "medium"
+    },
+    {
+      "id": "V-55227",
+      "title": "The DNS server implementation must utilize cryptographic mechanisms to prevent unauthorized modification of DNS zone data.",
+      "description": "Applications handling data requiring \"data at rest\" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). \n\nThe DNS server must protect the integrity of keys (for TSIG/SIG(0) and DNSSEC) and DNS information.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-55229",
+      "title": "The DNS server implementation must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.",
+      "description": "Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the application, including the parameters required to satisfy other security control requirements.\n\nConfiguring the DNS server implementation to follow organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements.",
+      "severity": "medium"
+    }
+  ]
+}