STIGhubSTIGhub
STIGsRMF ControlsCompare
STIGhub— A free STIG search and compliance tool·STIGs updated 3 days ago
Powered by Pylon·Privacy·Terms·© 2026 Beacon Cloud Solutions, Inc.
← Back to F5 BIG-IP TMOS DNS Security Technical Implementation Guide

V-265990

CAT I (High)

The F5 BIG-IP DNS implementation must protect the authenticity of communications sessions for zone transfers.

Rule ID

SV-265990r1024864_rule

STIG

F5 BIG-IP TMOS DNS Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-001184

Discussion

DNS is a fundamental network service that is prone to various attacks, such as cache poisoning and man-in-the middle attacks. If communication sessions are not provided appropriate validity protections, such as the employment of DNSSEC, the authenticity of the data cannot be guaranteed.

Check Content

If the BIG-IP is transferring zones from another non-BIG-IP DNS server perform the following.

From the BIG-IP GUI:
1. DNS.
2. Zones.
3. Click on the Zone Name.
4. Under the TSIG section verify a "Server Key" is selected.

From the BIG-IP Console, type the following commands:

tmsh list ltm dns zone <name> server-tsig-key

Note: Must return a value other than "none".

If the BIG-IP appliance is not configured to protect the authenticity of communications sessions for zone transfers, this is a finding.

Fix Text

From the BIG-IP GUI:
1. DNS.
2. Zones.
3. Click on the Zone Name.
4. Under the TSIG section, select a "Server Key" from the drop-down menu.
5. Click "Update".

From the BIG-IP Console, type the following commands:
tmsh modify ltm dns zone <zone name> server-tsig-key <TSIG key name>
tmsh save sys config