CAS-005 · Question #419
CAS-005 Question #419: Real Exam Question with Answer & Explanation
The correct answer is A: Public keys. By publishing the zone’s DNSSEC public keys (and configuring the parent zone and any secondary servers to trust them), zone transfers will automatically be integrity-checked and authenticated. The mutual authentication during zone transfers relies on the underlying public-key sig
Question
A DNS forward lookup zone named comptia.org must: - Ensure the DNS is protected from on-path attacks. - Ensure zone transfers use mutual authentication and are authenticated and negotiated. Which of the following should the security architect configure to meet these requirements? (Choose two).
Options
- APublic keys
- BConditional forwarders
- CRoot hints
- DDNSSEC
- ECNAME records
- FSRV records
Explanation
By publishing the zone’s DNSSEC public keys (and configuring the parent zone and any secondary servers to trust them), zone transfers will automatically be integrity-checked and authenticated. The mutual authentication during zone transfers relies on the underlying public-key signatures that DNSSEC provides. Deploying DNSSEC for the comptia.org zone signs all records with cryptographic signatures and publishes the corresponding public keys, protecting against on-path tampering and spoofing.
Community Discussion
No community discussion yet for this question.