CCI-002465

Request data origin authentication verification on the name/address resolution responses the system receives from authoritative sources.

Implementation Guidance

The organization being inspected/assessed configures the: 1. recursive/caching name server software to enable DNSSEC; 2. software to enable DNSSEC validation; and 3. software to establish a secure entry point trust anchor by installing key signing keys in the software configuration of trusted keys. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that determines the name server software configuration files and pertains to CCI 2465.

Validation Procedures

The organization conducting the inspection/assessment utilizes DNSSEC diagnostic tools, such as dig, and performs queries which will exercise the data flow path for recursive name resolution services. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs that determine the name server software configuration files and pertain to CCI 2465.

Compelling Evidence

1.) DNS logs. 2.) Applicable STIG/SRG checks that determine the name server software configuration files and pertain to CCI 2465.

The controls below (if any) were marked by NIST as being related to CCI-002465.