CME-405
DNSSEC Validation
Description
Validates DNS responses using cryptographic signatures, preventing DNS spoofing, cache poisoning, and DNS-based redirection attacks.
CVSS Vector Impacts
| Metric | Transition | Rationale |
|---|---|---|
| Attack Complexity (AC) | L → H | DNS-based redirect/spoofing attacks require breaking DNSSEC chain of trust |
CWE Relationships
Verification
Verify DNSSEC validation is enabled in resolver
$ resolvectl status | grep DNSSEC
# Expected: DNSSEC setting: yes
# Expected: DNSSEC setting: yes
Platform: linux
$ grep 'val-permissive-mode' /etc/unbound/unbound.conf
# Expected: val-permissive-mode: no
# Expected: val-permissive-mode: no
Platform: linux