New DISA DNS Security Requirements Guide (SRG)

So, now that DoD DNS administrators have become comfortable with using the DNS STIG to manage DNS security on their servers, DISA has put out a new SRG to be used along with the STIG.  Here is a link to the memo that DISA sent out when they posted the new SRG:

http://iase.disa.mil/stigs/net_perimeter/other/u_dns_srg_v1_stig_release_memo.pdf

This was just released on 2 November, so I am still reviewing it to see how it affects how we run our checklists.  What I have gathered so far is that the SRG incorporates security elements from previous network SRGs to ensure that the DNS "big picture" is secure.

It also sounds like the STIG may become automated in the future, which is how many of the other DISA STIGs operate.

Here is a link to the actual SRG, which includes a very informative document, DOMAIN NAME SYSTEM (DNS) SECURITY REQUIREMENTS GUIDE (SRG) OVERVIEW in the zipped file:

http://iase.disa.mil/stigs/net_perimeter/other/u_dns_srg_v1r1.zip

This will certainly have many DoD "DNS oldtimers" pulling their hair out while we figure out how to incorporate the new SRG!