Missing or misconfigured DNSSEC

Description

DNSSEC adds cryptographic signatures to existing DNS records, allowing resolvers to verify the authenticity and integrity of DNS responses. When DNSSEC is missing or misconfigured, it can lead to:

Lack of origin authentication for DNS data
Inability to ensure data integrity of DNS responses
Increased susceptibility to man-in-the-middle attacks
Potential for malicious redirection of network traffic

The absence or misconfiguration of DNSSEC can have significant consequences. Attackers may gain the ability to intercept and manipulate DNS queries, potentially redirecting users to fraudulent websites that mimic legitimate services. This can lead to various malicious activities, including credential theft, malware distribution, or service disruption. Additionally, if such attacks occur or become known, it can result in a loss of trust in the domain's online services, potentially damaging the organization's reputation and user confidence.

Recommendation

To address The issue make sure to do the following:

Implement DNSSEC: Enable DNSSEC on all authoritative DNS servers for the domain, make sure to test your implementation thoroughly.
Configure DNSSEC records properly:
Generate and publish DNSKEY records
Create and sign RRSIG records for all DNS record sets
Publish DS records in the parent zone
Key management:
Implement a secure key management process
Regularly rotate DNSSEC keys (ZSK and KSK)
Update DS records with the parent zone after key rollovers
Validation and monitoring:
Use online DNSSEC validation tools to verify correct implementation
Set up monitoring for DNSSEC-related issues and expiration dates
DNS infrastructure:
Ensure all DNS servers support DNSSEC
Configure recursive resolvers to perform DNSSEC validation
Review and update:
Regularly review DNSSEC configuration for best practices
Keep DNS software and DNSSEC tools up to date

Links

Standards

SOC2_CONTROLS:
- CC_6_1
- CC_6_6
- CC_6_7
- CC_7_1
GDPR:
- ART_32
CCPA:
- CCPA_1798_150