| Vulnerability ID |
Severity |
Description |
|
V-263646
|
Medium
|
The DNS server implementation must compare the internal system clocks on an organization-defined ...
|
|
V-205215
|
High
|
The DNS server implementation must utilize cryptographic mechanisms to prevent unauthorized discl...
|
|
V-205214
|
High
|
The DNS server implementation must utilize cryptographic mechanisms to prevent unauthorized modif...
|
|
V-205216
|
High
|
The DNS server implementation must protect the integrity of transmitted information.
|
|
V-263645
|
Medium
|
The DNS server implementation must synchronize system clocks within and between systems or system...
|
|
V-263644
|
Medium
|
The DNS server implementation must provide protected storage for cryptographic keys with organiza...
|
|
V-263643
|
Medium
|
The DNS server implementation must include only approved trust anchors in trust stores or certifi...
|
|
V-263642
|
Medium
|
The DNS server implementation must protect nonlocal maintenance sessions by separating the mainte...
|
|
V-263641
|
Medium
|
The DNS server implementation must, for public key-based authentication, implement a local cache ...
|
|
V-263640
|
Medium
|
The DNS server implementation must, for password-based authentication, enforce organization-defin...
|
|
V-263639
|
Medium
|
The DNS server implementation must, for password-based authentication, employ automated tools to ...
|
|
V-263638
|
Medium
|
The DNS server implementation must, for password-based authentication, allow user selection of lo...
|
|
V-263637
|
Medium
|
The DNS server implementation must, for password-based authentication, require immediate selectio...
|
|
V-263636
|
Medium
|
The DNS server implementation must, for password-based authentication, store passwords using an a...
|
|
V-263635
|
Medium
|
The DNS server implementation must, for password-based authentication, verify when users create o...
|
|
V-263634
|
Medium
|
The DNS server implementation must, for password-based authentication, update the list of passwor...
|
|
V-263633
|
Medium
|
The DNS server implementation must, for password-based authentication, update the list of passwor...
|
|
V-263632
|
Medium
|
The DNS server implementation must, for password-based authentication, maintain a list of commonl...
|
|
V-263631
|
Medium
|
The DNS server implementation must implement multifactor authentication for local; network; and/o...
|
|
V-263630
|
Medium
|
The DNS server implementation must implement multifactor authentication for local; network; and/o...
|
|
V-263629
|
Medium
|
The DNS server implementation must require users to be individually authenticated before granting...
|
|
V-263628
|
Medium
|
The DNS server implementation must prevent the installation of organization-defined software and ...
|
|
V-263627
|
Medium
|
The DNS server implementation must automatically generate audit records of the enforcement actions.
|
|
V-263626
|
Medium
|
The DNS server implementation must alert organization-defined personnel or roles upon detection o...
|
|
V-263625
|
Medium
|
The DNS server implementation must implement the capability to centrally review and analyze audit...
|
|
V-263624
|
Medium
|
The DNS server implementation must disable accounts when the accounts are no longer associated to...
|
|
V-263623
|
Medium
|
The DNS server implementation must disable accounts when the accounts have expired.
|
|
V-220317
|
Medium
|
All authoritative name servers for a zone must be geographically disbursed.
|
|
V-220316
|
Medium
|
A unique TSIG key must be generated for each pair of communicating hosts.
|
|
V-205253
|
Medium
|
The DNS server implementation must be configured in accordance with the security configuration se...
|
|
V-205252
|
Medium
|
CNAME records must not point to a zone with lesser security for more than six months.
|
|
V-205251
|
Medium
|
A zone file must not include resource records that resolve to a fully qualified domain name resid...
|
|
V-205250
|
Medium
|
The private keys corresponding to both the ZSK and the KSK must not be kept on the DNSSEC-aware p...
|
|
V-205249
|
Medium
|
The private key corresponding to the ZSK, stored on name servers accepting dynamic updates, must ...
|
|
V-205248
|
Medium
|
The platform on which the name server software is hosted must be configured to send outgoing DNS ...
|
|
V-205247
|
Medium
|
The platform on which the name server software is hosted must be configured to respond to DNS tra...
|
|
V-205246
|
Medium
|
The IP address for hidden master authoritative name servers must not appear in the name servers s...
|
|
V-205245
|
Medium
|
The DNS Name Server software must run with restricted privileges.
|
|
V-205244
|
Medium
|
The DNS name server software must be at the latest version.
|
|
V-205243
|
Medium
|
The DNS must utilize valid root name servers in the local root zone file.
|
|
V-205242
|
Medium
|
The DNS implementation must implement internal/external role separation.
|
|
V-205241
|
Medium
|
The DNS implementation must enforce a Discretionary Access Control (DAC) policy that limits propa...
|
|
V-205240
|
Medium
|
The DNS implementation must be conformant to the IETF DNS specification.
|
|
V-205239
|
Medium
|
Primary authoritative name servers must be configured to only receive zone transfer requests from...
|
|
V-205238
|
Medium
|
In a split DNS configuration, where separate name servers are used between the external and inter...
|
|
V-205237
|
Medium
|
In a split DNS configuration, where separate name servers are used between the external and inter...
|
|
V-205236
|
Medium
|
For zones split between the external and internal sides of a network, the RRs for the external ho...
|
|
V-205235
|
Medium
|
Digital signature algorithm used for DNSSEC-enabled zones must be FIPS-compatible.
|
|
V-205234
|
Medium
|
An authoritative name server must be configured to enable DNSSEC Resource Records.
|
|
V-205233
|
Medium
|
All authoritative name servers for a zone must have the same version of zone information.
|
|
V-205232
|
Medium
|
All authoritative name servers for a zone must be located on different network segments.
|
|
V-205231
|
Medium
|
The two files generated by the dnssec-keygen program must be made accessible only to the server a...
|
|
V-205230
|
Medium
|
The DNS implementation must ensure each NS record in a zone file points to an active name server ...
|
|
V-205229
|
Medium
|
NSEC3 must be used for all internal DNS zones.
|
|
V-205228
|
Medium
|
The validity period for the RRSIGs covering a zones DNSKEY RRSet must be no less than two days an...
|
|
V-205227
|
Medium
|
The salt value for zones signed using NSEC3 RRs must be changed every time the zone is completely...
|
|
V-205226
|
Medium
|
The DNS server must implement NIST FIPS-validated cryptography for provisioning digital signature...
|
|
V-205225
|
Medium
|
The DNS implementation must generate audit records for the success and failure of all name server...
|
|
V-205224
|
Medium
|
The DNS implementation must generate audit records for the success and failure of start and stop ...
|
|
V-205223
|
Medium
|
The DNS server implementation must log the event and notify the system administrator when anomali...
|
|
V-205222
|
Medium
|
The DNS server implementation must perform verification of the correct operation of security func...
|
|
V-205221
|
Medium
|
The DNS server implementation must follow procedures to re-role a secondary name server as the ma...
|
|
V-205220
|
Medium
|
The DNS server implementation must behave in a predictable and documented manner that reflects or...
|
|
V-205219
|
Medium
|
The DNS server implementation must maintain the integrity of information during reception.
|
|
V-205218
|
Medium
|
The DNS server implementation must maintain the integrity of information during preparation for t...
|
|
V-205217
|
Medium
|
The DNS server implementation must implement cryptographic mechanisms to detect changes to inform...
|
|
V-205213
|
Medium
|
If the DNS server is using SIG(0), the DNS server implementation must only allow the use of DoD P...
|
|
V-205212
|
Medium
|
A DNS server implementation must perform data origin verification authentication on the name/addr...
|
|
V-205211
|
Medium
|
A DNS server implementation must perform data integrity verification on the name/address resoluti...
|
|
V-205210
|
Medium
|
A DNS server implementation must request data integrity verification on the name/address resoluti...
|
|
V-205209
|
Medium
|
A DNS server implementation must request data origin authentication verification on the name/addr...
|
|
V-205208
|
Medium
|
A DNS server implementation must provide additional integrity artifacts along with the authoritat...
|
|
V-205207
|
Medium
|
A DNS server implementation must provide data integrity protection artifacts for internal name/ad...
|
|
V-205206
|
Medium
|
A DNS server implementation must provide data origin artifacts for internal name/address resoluti...
|
|
V-205205
|
Medium
|
The DNS server implementation, for PKI-based authentication, must implement a local cache of revo...
|
|
V-205204
|
Medium
|
The DNS server implementation must authenticate another DNS server before establishing a remote a...
|
|
V-205203
|
Medium
|
The DNS server implementation must authenticate the other DNS server before responding to a serve...
|
|
V-205201
|
Medium
|
The DNS implementation must prohibit recursion on authoritative name servers.
|
|
V-205199
|
Medium
|
In the event of an error when validating the binding of another DNS servers identity to the DNS i...
|
|
V-205198
|
Medium
|
The DNS server implementation must validate the binding of the other DNS servers identity to the ...
|
|
V-205197
|
Medium
|
The DNS server implementation must provide the means for authorized individuals to determine the ...
|
|
V-205196
|
Medium
|
The DNS server implementation must strongly bind the identity of the DNS server with the DNS info...
|
|
V-205193
|
Medium
|
The DNS server implementation must be configured to generate audit records for failed security ve...
|
|
V-205192
|
Medium
|
The DNS server implementation must, when a component failure is detected, activate a notification...
|
|
V-205191
|
Medium
|
The DNS server implementation must check the validity of all data inputs except those specificall...
|
|
V-205190
|
Medium
|
The DNS server implementation must manage excess capacity, bandwidth, or other redundancy to limi...
|
|
V-205189
|
Medium
|
The DNS server implementation must restrict the ability of individuals to use the DNS server to l...
|
|
V-205188
|
Medium
|
The DNS server implementation must prevent unauthorized and unintended information transfer via s...
|
|
V-205187
|
Medium
|
The DNS server implementation must protect the confidentiality and integrity of secret/private cr...
|
|
V-205186
|
Medium
|
In the event of a system failure, the DNS server implementation must preserve any information nec...
|
|
V-205185
|
Medium
|
The DNS server implementation must fail to a secure state if system initialization fails, shutdow...
|
|
V-205184
|
Medium
|
The DNS implementation must protect the authenticity of communications sessions for queries.
|
|
V-205183
|
Medium
|
The DNS implementation must protect the authenticity of communications sessions for dynamic updates.
|
|
V-205182
|
Medium
|
The DNS implementation must protect the authenticity of communications sessions for zone transfers.
|
|
V-205180
|
Medium
|
A DNS server implementation must provide the means to enable verification of a chain of trust amo...
|
|
V-205179
|
Medium
|
The DNS server implementation must enforce approved authorizations for controlling the flow of in...
|
|
V-205178
|
Medium
|
The validity period for the RRSIGs covering the DS RR for a zones delegated children must be no l...
|
|
V-205177
|
Medium
|
A DNS server implementation must provide the means to indicate the security status of child zones.
|
|
V-205176
|
Medium
|
A DNS server implementation must provide additional data origin artifacts along with the authorit...
|
|
V-205175
|
Medium
|
The DNS server implementation must employ strong authenticators in the establishment of nonlocal ...
|
|
V-205174
|
Medium
|
Signature generation using the KSK must be done off-line, using the KSK-private stored off-line.
|
|
V-205173
|
Medium
|
Only the private key corresponding to the ZSK alone must be kept on the name server that does sup...
|
|
V-205172
|
Medium
|
Read/Write access to the key file must be restricted to the account that runs the name server sof...
|
|
V-205171
|
Medium
|
The key file must be owned by the account under which the name server software is run.
|
|
V-205170
|
Medium
|
The DNS server implementation, when using PKI-based authentication, must enforce authorized acces...
|
|
V-205169
|
Medium
|
The DNS server implementation must uniquely identify the other DNS server before responding to a ...
|
|
V-205168
|
Medium
|
The DNS server implementation must be configured to prohibit or restrict unapproved ports and pro...
|
|
V-205167
|
Medium
|
The DNS server implementations audit records must be backed up at least every seven days onto a d...
|
|
V-205166
|
Medium
|
The DNS server implementation must generate audit records containing information that establishes...
|
|
V-205165
|
Medium
|
The DNS server implementation must produce audit records that contain information to establish th...
|
|
V-205164
|
Medium
|
The DNS server implementation must produce audit records containing information to establish the ...
|
|
V-205163
|
Medium
|
The DNS server implementation must produce audit records containing information to establish wher...
|
|
V-205162
|
Medium
|
The DNS server implementation must produce audit records containing information to establish when...
|
|
V-205161
|
Medium
|
The DNS server implementation must produce audit records containing information to establish what...
|
|
V-205160
|
Medium
|
The DNS server implementation must be configured to provide audit record generation capability fo...
|
|
V-205159
|
Medium
|
The DNS server implementation must be configured to provide audit record generation capability fo...
|
|
V-205158
|
Medium
|
The DNS implementation must limit the number of concurrent sessions client connections to the num...
|
|
V-205157
|
Medium
|
The DNS implementation must limit the number of concurrent sessions for zone transfers to the num...
|