CCI|CCI-001663

Title

Provide the means to enable verification of a chain of trust among parent and child domains (if the child supports secure resolution services), when operating as part of a distributed, hierarchical namespace.

Reference Item Details

Reference: CCI - DISA Control Correlation Identifier

Category: 2024

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
BIND-9X-001200 - A BIND 9.x server implementation must maintain the integrity and confidentiality of DNS information while it is being prepared for transmission, in transmission, and in use and t must perform integrity verification and data origin verification for all DNS information - dnssec-enable	Unix	DISA BIND 9.x STIG v1r9
BIND-9X-001200 - A BIND 9.x server implementation must maintain the integrity and confidentiality of DNS information while it is being prepared for transmission, in transmission, and in use and t must perform integrity verification and data origin verification for all DNS information - dnssec-enable	Unix	DISA BIND 9.x STIG v2r2
BIND-9X-001200 - A BIND 9.x server implementation must maintain the integrity and confidentiality of DNS information while it is being prepared for transmission, in transmission, and in use and t must perform integrity verification and data origin verification for all DNS information - KSK	Unix	DISA BIND 9.x STIG v2r2
BIND-9X-001200 - A BIND 9.x server implementation must maintain the integrity and confidentiality of DNS information while it is being prepared for transmission, in transmission, and in use and t must perform integrity verification and data origin verification for all DNS information - KSK	Unix	DISA BIND 9.x STIG v1r9
BIND-9X-001200 - A BIND 9.x server implementation must maintain the integrity and confidentiality of DNS information while it is being prepared for transmission, in transmission, and in use and t must perform integrity verification and data origin verification for all DNS information - zone	Unix	DISA BIND 9.x STIG v1r9
BIND-9X-001200 - A BIND 9.x server implementation must maintain the integrity and confidentiality of DNS information while it is being prepared for transmission, in transmission, and in use and t must perform integrity verification and data origin verification for all DNS information - zone	Unix	DISA BIND 9.x STIG v2r2
BIND-9X-001200 - A BIND 9.x server implementation must maintain the integrity and confidentiality of DNS information while it is being prepared for transmission, in transmission, and in use and t must perform integrity verification and data origin verification for all DNS information - ZSK	Unix	DISA BIND 9.x STIG v1r9
BIND-9X-001200 - A BIND 9.x server implementation must maintain the integrity and confidentiality of DNS information while it is being prepared for transmission, in transmission, and in use and t must perform integrity verification and data origin verification for all DNS information - ZSK	Unix	DISA BIND 9.x STIG v2r2
BIND-9X-001200 - A BIND 9.x server implementation must maintain the integrity and confidentiality of DNS information while it is being prepared for transmission, in transmission, and in use and t must perform integrity verification and data origin verification for all DNS information.	Unix	DISA BIND 9.x STIG v2r3
BIND-9X-001510 - A BIND 9.x server implementation must enforce approved authorizations for controlling the flow of information between authoritative name servers and specified secondary name servers based on DNSSEC policies - master	Unix	DISA BIND 9.x STIG v2r2
BIND-9X-001510 - A BIND 9.x server implementation must enforce approved authorizations for controlling the flow of information between authoritative name servers and specified secondary name servers based on DNSSEC policies - master	Unix	DISA BIND 9.x STIG v1r9
BIND-9X-001510 - A BIND 9.x server implementation must enforce approved authorizations for controlling the flow of information between authoritative name servers and specified secondary name servers based on DNSSEC policies - secondary	Unix	DISA BIND 9.x STIG v2r2
BIND-9X-001510 - A BIND 9.x server implementation must enforce approved authorizations for controlling the flow of information between authoritative name servers and specified secondary name servers based on DNSSEC policies - secondary	Unix	DISA BIND 9.x STIG v1r9
BIND-9X-001510 - A BIND 9.x server implementation must enforce approved authorizations for controlling the flow of information between authoritative name servers and specified secondary name servers based on DNSSEC policies.	Unix	DISA BIND 9.x STIG v2r3
WDNS-SC-000009 - The Windows 2012 DNS Server must enforce approved authorizations between DNS servers through the use of digital signatures in the RRSet.	Windows	DISA Microsoft Windows 2012 Server DNS STIG v2r1
WDNS-SC-000009 - The Windows 2012 DNS Server must enforce approved authorizations between DNS servers through the use of digital signatures in the RRSet.	Windows	DISA Microsoft Windows 2012 Server DNS STIG v2r5
WDNS-SC-000009 - The Windows 2012 DNS Server must enforce approved authorizations between DNS servers through the use of digital signatures in the RRSet.	Windows	DISA Microsoft Windows 2012 Server DNS STIG v1r14
WDNS-SC-000009 - The Windows 2012 DNS Server must enforce approved authorizations between DNS servers through the use of digital signatures in the RRSet.	Windows	DISA Microsoft Windows 2012 Server DNS STIG v2r4
WDNS-SC-000009 - The Windows 2012 DNS Server must enforce approved authorizations between DNS servers through the use of digital signatures in the RRSet.	Windows	DISA Microsoft Windows 2012 Server DNS STIG v2r6
WDNS-SC-000010 - The Name Resolution Policy Table (NRPT) must be configured in Group Policy to enforce clients to request DNSSEC validation for a domain.	Windows	DISA Microsoft Windows 2012 Server DNS STIG v2r6
WDNS-SC-000010 - The Name Resolution Policy Table (NRPT) must be configured in Group Policy to enforce clients to request DNSSEC validation for a domain.	Windows	DISA Microsoft Windows 2012 Server DNS STIG v2r1
WDNS-SC-000010 - The Name Resolution Policy Table (NRPT) must be configured in Group Policy to enforce clients to request DNSSEC validation for a domain.	Windows	DISA Microsoft Windows 2012 Server DNS STIG v2r5
WDNS-SC-000010 - The Name Resolution Policy Table (NRPT) must be configured in Group Policy to enforce clients to request DNSSEC validation for a domain.	Windows	DISA Microsoft Windows 2012 Server DNS STIG v1r14
WDNS-SC-000010 - The Name Resolution Policy Table (NRPT) must be configured in Group Policy to enforce clients to request DNSSEC validation for a domain.	Windows	DISA Microsoft Windows 2012 Server DNS STIG v2r4
WDNS-SC-000011 - The Windows 2012 DNS Server must be configured to validate an authentication chain of parent and child domains via response data.	Windows	DISA Microsoft Windows 2012 Server DNS STIG v2r5
WDNS-SC-000011 - The Windows 2012 DNS Server must be configured to validate an authentication chain of parent and child domains via response data.	Windows	DISA Microsoft Windows 2012 Server DNS STIG v2r1
WDNS-SC-000011 - The Windows 2012 DNS Server must be configured to validate an authentication chain of parent and child domains via response data.	Windows	DISA Microsoft Windows 2012 Server DNS STIG v2r6
WDNS-SC-000011 - The Windows 2012 DNS Server must be configured to validate an authentication chain of parent and child domains via response data.	Windows	DISA Microsoft Windows 2012 Server DNS STIG v1r14
WDNS-SC-000011 - The Windows 2012 DNS Server must be configured to validate an authentication chain of parent and child domains via response data.	Windows	DISA Microsoft Windows 2012 Server DNS STIG v2r4
WDNS-SC-000012 - Trust anchors must be exported from authoritative Windows 2012 DNS Servers and distributed to validating Windows 2012 DNS Servers.	Windows	DISA Microsoft Windows 2012 Server DNS STIG v2r5
WDNS-SC-000012 - Trust anchors must be exported from authoritative Windows 2012 DNS Servers and distributed to validating Windows 2012 DNS Servers.	Windows	DISA Microsoft Windows 2012 Server DNS STIG v2r6
WDNS-SC-000012 - Trust anchors must be exported from authoritative Windows 2012 DNS Servers and distributed to validating Windows 2012 DNS Servers.	Windows	DISA Microsoft Windows 2012 Server DNS STIG v2r1
WDNS-SC-000012 - Trust anchors must be exported from authoritative Windows 2012 DNS Servers and distributed to validating Windows 2012 DNS Servers.	Windows	DISA Microsoft Windows 2012 Server DNS STIG v2r4
WDNS-SC-000012 - Trust anchors must be exported from authoritative Windows 2012 DNS Servers and distributed to validating Windows 2012 DNS Servers.	Windows	DISA Microsoft Windows 2012 Server DNS STIG v1r14
WDNS-SC-000013 - Automatic Update of Trust Anchors must be enabled on key rollover.	Windows	DISA Microsoft Windows 2012 Server DNS STIG v2r1
WDNS-SC-000013 - Automatic Update of Trust Anchors must be enabled on key rollover.	Windows	DISA Microsoft Windows 2012 Server DNS STIG v2r5
WDNS-SC-000013 - Automatic Update of Trust Anchors must be enabled on key rollover.	Windows	DISA Microsoft Windows 2012 Server DNS STIG v2r6
WDNS-SC-000013 - Automatic Update of Trust Anchors must be enabled on key rollover.	Windows	DISA Microsoft Windows 2012 Server DNS STIG v1r14
WDNS-SC-000013 - Automatic Update of Trust Anchors must be enabled on key rollover.	Windows	DISA Microsoft Windows 2012 Server DNS STIG v2r4

Detections

Analytics

CCI|CCI-001663

Title

Reference Item Details

Audit Items