CCI-001179

The information system, when operating as part of a distributed, hierarchical namespace, provides the means to indicate the security status of child zones.

Implementation Guidance

The organization being inspected/assessed configures the authoritative name server software to enable DNSSEC and creates delegation signer (DS) resource records for each child zone and place those records in the parent zone. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that determines the name server software configuration files and pertains to CCI 1179.

Validation Procedures

The organization conducting the inspection/assessment inspect the configuration files for the presence of Delegation Signer (DS) Records for any child domains. Note: This is only applicable for zones with child domains. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs that determine the name server software configuration files and pertain to CCI 1179.

Compelling Evidence

1.) DNS logs. 2.) Applicable STIG/SRG checks.

The controls below (if any) were marked by NIST as being related to CCI-001179.