Skip to content

SC-20: Secure Name/Address Resolution Service (Authoritative Source)

An OSCAL Control

Statement

    • a.

      Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and

    • b.

      Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace.

      • Requirement:

        Control Description should include how DNSSEC is implemented on authoritative DNS servers to supply valid responses to external DNSSEC requests.

      • Guidance:

        SC-20 applies to use of external authoritative DNS to access a CSO from outside the boundary.

      • Guidance:

        External authoritative DNS servers may be located outside an authorized environment. Positioning these servers inside an authorized boundary is encouraged.

      • Guidance:

        CSPs are recommended to self-check DNSSEC configuration through one of many available analyzers such as Sandia National Labs (https://dnsviz.net)