CCI-001663

The information system, when operating as part of a distributed, hierarchical namespace, provides the means to enable verification of a chain of trust among parent and child domains (if the child supports secure resolution services).

Implementation Guidance

The organization being inspected/assessed installs and utilizes software capable of validating the chain of trust (Examples of software include dig, dnsviz, dnssec-debugger, dnssec validator for Mozilla, etc). For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1663.

Validation Procedures

The organization conducting the inspection/assessment utilizes DNSSEC diagnostic tools, such as dig, and performs queries which will exercise the data flow path for authoritative name resolution services where parent and child domains exist. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs that pertains to CCI 1663.

Compelling Evidence

1.) DNS logs. 2.) Applicable STIG/SRG checks.

The controls below (if any) were marked by NIST as being related to CCI-001663.