CCI-002466
CCI-002466 Definition
Status | |
Type | CheckType.technical |
Master Assessment Datasheet
Implementation Guidance
The organization being inspected/assessed configures the: 1. recursive/caching name server software to enable DNSSEC; 2. software to enable DNSSEC validation; and 3. software to establish a secure entry point trust anchor by installing key signing keys in the software configuration of trusted keys. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that determines the name server software configuration files and pertains to CCI 2466.
Validation Procedures
The organization conducting the inspection/assessment utilizes DNSSEC diagnostic tools, such as dig, and performs queries which will exercise the data flow path for recursive name resolution services. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs that determine the name server software configuration files and pertain to CCI 2466.
Compelling Evidence
1.) DNS logs. 2.) Applicable STIG/SRG checks that determine the name server software configuration files and pertain to CCI 2466.