SC-20-727 Secure Name/Address Resolution Service (Authoritative Source)

Secure Name/Address Resolution Service (Authoritative Source)

Control ID

SC-20-727

Control Name

Secure Name/Address Resolution Service (Authoritative Source)

Control Category

System and Communications Protection

Functional Areas

Protect

Sub-Areas

System Communications Protection

NIST Baseline Level(s)

LOW, MOD, HIGH

NIST Priority

State Implementation Required

Yes

Agency Last Implemented Date

May 20, 2016

Agency Implementation

The Agency shall use one designated authoritative source for all domains under the Agency's control (e.g., TAMU Infoblox for the tti.tamu.edu domain and AWS Route 53 for all commercial domains), and reject responses from any other source.

Risk Statement

Networks and supporting infrastructure are exposed to unauthorized parties due to lack of defined network security and administration policies, procedures and standards.

Control Description

The information system: a. Provides additional data origin and integrity artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and b. Provides the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace.

Control Example

The network has established parent and client zones to maintain the appropriate level of isolation.

State Implementation

The information system that provides name/address resolution service provides additional data origin and integrity artifacts along with the authoritative data it returns in response to resolution queries.

Testing Procedures

Obtain system and communications protection policy; procedures addressing secure name/address resolution service (authoritative source); NIST Special Publication 800-81; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records and ascertain if : (I)the information system, (if the system provides a name/address resolution service), provides artifacts for additional data origin authentication and data integrity artifacts along with the authoritative data it returns in response to resolution queries. (ii)the information system, when operating as part of a distributed, hierarchical namespace, provides the means to indicate the security status of child subspaces and (if the child supports secure resolution services) enable verification of a chain of trust among parent and child domains.