| Vuln ID | Severity | Asset | STIG | Title | Status | Doc Status | Assigned To | Actions |
|---|---|---|---|---|---|---|---|---|
| V-259345 | CAT II | MONT-DC-003 | Microsoft Windows Server Domain Name Sys... | The validity period for the Resource Record Signat... | - | |||
Check TextNote: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or Windows DNS Servers on a classified network. Log on to the DNS server using the account designated as Administrator or DNS Administrator. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, click to select the zone. Right-click the zone and select DNSSEC >> Properties. Select the "KSK" tab. Verify the "DNSKEY signature validity period (hours):" is set to at least 48 hours and no more than 168 hours. Select the "ZSK" tab. Verify the "DNSKEY signature validity period (hours):" is set to at least 48 hours and no more than 168 hours. If either the "KSK" or "ZSK" tab "DNSKEY signature validity period (hours):" values are set to less than 48 hours or more than 168 hours, this is a finding. Fix TextLog on to the DNS server using the account designated as Administrator or DNS Administrator. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, click to select the zone. Right-click the zone and select DNSSEC >> Properties. Select the "KSK" tab. For the "DNSKEY RRSET signature validity period (hours):" setting, configure to a value between 48 and 168 hours. Select the "ZSK" tab. For the "DNSKEY signature validity period (hours):" setting, configure to a value between 48 and 168 hours. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServerDNS_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: EBD1CBF9C835BB34171A1BE7AD4ED430C4F56B9D ~~~~~ All Forward Lookup Zones hosted on this server are Active Directory-integrated so this requirement is NA.
Source: _Reviewed/MONT-DC-003/Checklist/MONT-DC-003_WinServerDNS_V2R3_20251023-172313.ckl
Scan Date: 2026-01-14T12:57:38.179760
Technology Area: Domain Name System
|
||||||||