V-259414
CAT IIThe private keys corresponding to both the zone signing key (ZSK) and the key signing key (KSK) must not be kept on the DNSSEC-aware primary authoritative name server when the name server does not support dynamic updates.
- Ships Affected
- 1
- Total Findings
- 1
- Open
- 0
- Closed
- 0
Check Text
This check is not applicable for Windows DNS Servers that only host Active Directory-integrated zones or for Windows DNS servers on a classified network.
Review the DNS name server and documentation to determine if it accepts dynamic updates.
If dynamic updates are not accepted, verify the private keys corresponding to both the ZSK and KSK are not located on the name server.
If the private keys to the ZSK and/or the KSK are located on the name server, this is a finding.
Fix Text
Store the private keys of the ZSK and KSK offline in an encrypted file system.
STIG Reference
- STIG
- Microsoft Windows Server Domain Name System (DNS) Security Technical Implementation Guide
- Version
- 2
- Release
- 4
- Rule ID
- SV-259414r1156961_rule
All Occurrences
This vulnerability appears on 1 ship(s)
| Ship | Hull # | Source File | Status | Assigned To | Scan Date | Actions |
|---|---|---|---|---|---|---|
| USNS MONTFORD POINT | T-ESD-1 | _Reviewed/MONT-DC-003/Checklist/MONT-DC-003_WinServerDNS_V2R3_20251023-172313.ckl | Unassigned | 2026-01-14T12:57:38.179760 | View in Context |