CCI-002464
CCI-002464 Definition
Status | |
Type | CheckType.technical |
Master Assessment Datasheet
Implementation Guidance
The organization being inspected/assessed configures the authoritative name server software for internal software to enable DNSSEC and creates resource records with digital signatures(RRSig) for each A record. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that determines the name server software configuration files and pertains to CCI 2464.
Validation Procedures
The organization conducting the inspection/assessment: 1. inspects the configuration files for the presence of DNSSEC records for each A record hosted in a zone; 2. utilizes DNSSEC diagnostic tools, such as dig; and 3. performs queries which will exercise the data flow path for authoritative name resolution services. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs that determine the name server software configuration files and pertain to CCI 2464.
Compelling Evidence
1.) DNS logs. 2.) Applicable STIG/SRG checks.