CCI-002463

Implementation Guidance

The organization being inspected/assessed configures the authoritative name server software for internal queries to enable DNSSEC and creates resource records with digital signatures (RRSig) for each A record. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that determines the name server software configuration files and pertains to CCI 2463.

Validation Procedures

The organization conducting the inspection/assessment: 1. inspects the configuration files for the presence of DNSSEC records for each A record hosted in a zone; 2. utilizes DNSSEC diagnostic tools, such as dig; and 3. performs queries which will exercise the data flow path for authoritative name resolution services. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs that determine the name server software configuration files and pertain to CCI 2463.

Compelling Evidence

1.) DNS logs. 2.) Applicable STIG/SRG checks.