Vulnerability V-259345

Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or Windows DNS Servers on a classified network. Log on to the DNS server using the account designated as Administrator or DNS Administrator. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, click to select the zone. Right-click the zone and select DNSSEC >> Properties. Select the "KSK" tab. Verify the "DNSKEY signature validity period (hours):" is set to at least 48 hours and no more than 168 hours. Select the "ZSK" tab. Verify the "DNSKEY signature validity period (hours):" is set to at least 48 hours and no more than 168 hours. If either the "KSK" or "ZSK" tab "DNSKEY signature validity period (hours):" values are set to less than 48 hours or more than 168 hours, this is a finding.

Log on to the DNS server using the account designated as Administrator or DNS Administrator. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, click to select the zone. Right-click the zone and select DNSSEC >> Properties. Select the "KSK" tab. For the "DNSKEY RRSET signature validity period (hours):" setting, configure to a value between 48 and 168 hours. Select the "ZSK" tab. For the "DNSKEY signature validity period (hours):" setting, configure to a value between 48 and 168 hours.