SC-20: Secure Name/Address Resolution Service (Authoritative Source)

An OSCAL Control

Statement

a.
Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and
b.
Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace.
- Requirement:
  Control Description should include how DNSSEC is implemented on authoritative DNS servers to supply valid responses to external DNSSEC requests.
- Requirement:
  Authoritative DNS servers must be geolocated in accordance with SA-9 (5).
- Guidance:
  SC-20 applies to use of external authoritative DNS to access a CSO from outside the boundary.
- Guidance:
  External authoritative DNS servers may be located outside an authorized environment. Positioning these servers inside an authorized boundary is encouraged.
- Guidance:
  CSPs are recommended to self-check DNSSEC configuration through one of many available analyzers such as Sandia National Labs (https://dnsviz.net)