SC-21

System and Communications ProtectionRev 5system

Secure Name/Address Resolution Service (Recursive or Caching Resolver)

Baselines:LowModerateHigh

Control Statement

Request and perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.

Supplemental Guidance

Each client of name resolution services either performs this validation on its own or has authenticated channels to trusted validation providers. Systems that provide name and address resolution services for local clients include recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Systems that use technologies other than the DNS to map between host and service names and network addresses provide some other means to enable clients to verify the authenticity and integrity of response data.

Related Controls (2)

SC-20 SC-22

CCI Identifiers (5)

CCI-001180The information system performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources when requested by client systems.CCI-002465Request data origin authentication verification on the name/address resolution responses the system receives from authoritative sources.CCI-002466Request data integrity verification on the name/address resolution responses the system receives from authoritative sources.CCI-002467Perform data integrity verification on the name/address resolution responses the system receives from authoritative sources.CCI-002468Perform data origin verification authentication on the name/address resolution responses the system receives from authoritative sources.

Linked STIG Checks (26)

Across 10 STIGs. Click to expand.