SC-20-727 Secure Name/Address Resolution Service (Authoritative Source)

Secure Name/Address Resolution Service (Authoritative Source)

SC-20-727
Secure Name/Address Resolution Service (Authoritative Source)
System and Communications Protection
Protect
System Communications Protection
LOW, MOD, HIGH
P1
Yes
May 20, 2016

The Agency shall use one designated authoritative source for all domains under the Agency's control (e.g., TAMU Infoblox for the tti.tamu.edu domain and AWS Route 53 for all commercial domains), and reject responses from any other source.

Networks and supporting infrastructure are exposed to unauthorized parties due to lack of defined network security and administration policies, procedures and standards.
The information system: a. Provides additional data origin and integrity artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and b. Provides the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace.
The network has established parent and client zones to maintain the appropriate level of isolation.
The information system that provides name/address resolution service provides additional data origin and integrity artifacts along with the authoritative data it returns in response to resolution queries.
Obtain system and communications protection policy; procedures addressing secure name/address resolution service (authoritative source); NIST Special Publication 800-81; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records and ascertain if : (I)the information system, (if the system provides a name/address resolution service), provides artifacts for additional data origin authentication and data integrity artifacts along with the authoritative data it returns in response to resolution queries. (ii)the information system, when operating as part of a distributed, hierarchical namespace, provides the means to indicate the security status of child subspaces and (if the child supports secure resolution services) enable verification of a chain of trust among parent and child domains.