CompTIA SecurityX (CAS-005) — Question 315

A DNS forward lookup zone named comptia.org must:

• Ensure the DNS is protected from on-path attacks.
• Ensure zone transfers use mutual authentication and are authenticated and negotiated.

Which of the following should the security architect configure to meet these requirements? (Choose two).

Answer options

• A. Public keys
• B. Conditional forwarders
• C. Root hints
• D. DNSSEC
• E. CNAME records
• F. SRV records

Correct answer: A, D

Explanation

The use of Public keys (A) is essential for encrypting data and ensuring secure communications, which helps protect against on-path attacks. DNSSEC (D) provides authentication and integrity to DNS data, ensuring that zone transfers are secure and authenticated, while the other options do not specifically address these security requirements.