Each DNSSEC finding has a message shown in Findings as an individual entry, along with the associated IP address. The text in the remediation column is also available in the platform. Remediation is guidance on how to resolve the issue so that it no longer adversely impacts the organization’s Bitsight Security Rating.
Achieving a 'Good' DNSSEC Rating
To achieve a GOOD grade, the domain should have DNSSEC enabled and should be properly configured.
The certificate must adhere to the following rules:
- It must be encrypted using a secure hash algorithm with a sufficiently long key.
- It must have a validated chain of trust.
Remediation Recommendations
- Set up DNSSEC for your domain, including generating the appropriate keys and updating DNS zone records.
- Generate a new Zone Signing Key using the RSA or DSA algorithm, with a key of 2048 bits or more.
- Download updated trust anchors and set them to be managed automatically.
- Add your DNSKEY to your DNS records through your registrar’s management interface.
What are the risks of not remediating a DNSSEC Finding?
Without DNSSEC, an organization's domain can more easily be taken over allowing an attacker to appear to be that organization online and perpetrate man-in-the-middle (MITM) attacks.
How Remediation Impacts Your Grade
- Once our scanner detects a fix, the finding stops impacting your grade immediately.
- If you request a rescan and the fix is confirmed, the status updates to Remediated. If the issue persists, the status remains Not Remediated and the grade impact continues.
Finding Message Reference
Locate your specific finding message below and click the accordion to see the required remediation.
Bad DNSSEC Finding Messages
These issues represent significant security gaps and should be remediated immediately.
Remediation: Examine the implemented methods of trusting keys on your DNS server. If you are manually managing trust anchors, you may have outdated anchors, and will want to download new anchors or switch your method to automatic. See Trusted Keys and Managing Keys for more information.
Remediation: Make sure that your DS record has been entered through your domain registrar’s control panel. See How To Setup DNSSEC on an Authoritative BIND DNS Server for instructions.
Remediation: Ensure your authenticated denial of existence (NSEC) resource records are properly formatted, according to RFC-4034, Resource Records for the DNS Security Extensions.
Warn DNSSEC Finding Messages
Findings in this category indicate configurations that should be addressed soon. These moderately impact the health of the vector.
Remediation: You will need to create a new Zone Signing Key, using the DSA algorithm, with a key strength greater than or equal to 2048 bits. See the technical overview of DNSSEC key generation.
Remediation: The top-level domain (.com, .org, etc.) has a bad DS record with the root server zone (possibly outdated) that will need to be resubmitted.
Remediation: You will need to generate a new Zone Signing Key, using the RSA algorithm, with a key strength greater than or equal to 2048 bits. See the technical overview of DNSSEC key generation.
Neutral DNSSEC Finding Messages
These findings provide context but do not affect the performance assessment of the risk vector.
No remediation needed.
Remediation: You will need to set up DNSSEC for your domain, including generating necessary keys and updating DNS zone records accordingly. See this DigitalOcean guide for instructions which may be applicable to your server configuration, as well as dnssec.net for practical documents related to DNSSEC setup.
Comments
0 comments
Please sign in to leave a comment.