Skip to content

SC-21: Secure Name/Address Resolution Service (Recursive or Caching Resolver)

An OSCAL Control

Statement

    • Request and perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.

        • Requirement:

          Control description should include how DNSSEC is implemented on recursive DNS servers to make DNSSEC requests when resolving DNS requests from internal components to domains external to the CSO boundary.

          • If the reply is signed, and fails DNSSEC, do not use the reply
          • If the reply is unsigned:
            • CSP chooses the policy to apply
        • Requirement:

          Internal recursive DNS servers must be located inside an authorized environment. It is typically within the boundary, or leveraged from an underlying IaaS/PaaS.

        • Guidance:

          Accepting an unsigned reply is acceptable

        • Guidance:

          SC-21 applies to use of internal recursive DNS to access a domain outside the boundary by a component inside the boundary.

          • DNSSEC resolution to access a component inside the boundary is excluded.