800-53|SC-20b.

Title

SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE)

Description

Provides the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace.

Reference Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Family: SYSTEM AND COMMUNICATIONS PROTECTION

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
3.4 Restrict Zone-Transfers 'allow-transfer'UnixCIS ISC BIND 9.0/9.5 v2.0.0
5.1 Securely Authenticate Zone TransfersUnixCIS BIND DNS v3.0.1 Authoritative Name Server
5.1 Securely Authenticate Zone TransfersUnixCIS BIND DNS v3.0.1 Caching Only Name Server
5.2 Securely Authenticate Dynamic Updates - allow-update none or localhostUnixCIS BIND DNS v3.0.1 Authoritative Name Server
5.2 Securely Authenticate Dynamic Updates - update-policy grant or localUnixCIS BIND DNS v3.0.1 Authoritative Name Server
5.3 Securely Authenticate Update ForwardingUnixCIS BIND DNS v3.0.1 Authoritative Name Server
BIND-9X-001200 - A BIND 9.x server implementation must maintain the integrity and confidentiality of DNS information while it is being prepared for transmission, in transmission, and in use and t must perform integrity verification and data origin verification for all DNS information.UnixDISA BIND 9.x STIG v2r3
BIND-9X-001310 - A BIND 9.x server implementation must provide the means to indicate the security status of child zones.UnixDISA BIND 9.x STIG v2r3
BIND-9X-001311 - The BIND 9.x server validity period for the RRSIGs covering the DS RR for zones delegated children must be no less than two days and no more than one week.UnixDISA BIND 9.x STIG v2r3
BIND-9X-001510 - A BIND 9.x server implementation must enforce approved authorizations for controlling the flow of information between authoritative name servers and specified secondary name servers based on DNSSEC policies.UnixDISA BIND 9.x STIG v2r3
WDNS-SC-000008 - The Windows 2012 DNS Server must be configured with the DS RR carrying the signature for the RR that contains the public key of the child zone.WindowsDISA Microsoft Windows 2012 Server DNS STIG v2r7
WDNS-SC-000009 - The Windows 2012 DNS Server must enforce approved authorizations between DNS servers through the use of digital signatures in the RRSet.WindowsDISA Microsoft Windows 2012 Server DNS STIG v2r7
WDNS-SC-000010 - The Name Resolution Policy Table (NRPT) must be configured in Group Policy to enforce clients to request DNSSEC validation for a domain.WindowsDISA Microsoft Windows 2012 Server DNS STIG v2r7
WDNS-SC-000011 - The Windows 2012 DNS Server must be configured to validate an authentication chain of parent and child domains via response data.WindowsDISA Microsoft Windows 2012 Server DNS STIG v2r7
WDNS-SC-000012 - Trust anchors must be exported from authoritative Windows 2012 DNS Servers and distributed to validating Windows 2012 DNS Servers.WindowsDISA Microsoft Windows 2012 Server DNS STIG v2r7
WDNS-SC-000013 - Automatic Update of Trust Anchors must be enabled on key rollover.WindowsDISA Microsoft Windows 2012 Server DNS STIG v2r7