SC-21 Secure Name / Address Resolution Service (Recursive Or Caching Resolver)

Control: The information system that provides name/address resolution service for local clients performs data origin authentication and data integrity verification on the resolution responses it receives from authoritative sources when requested by client systems.

Supplemental Guidance: A resolving or caching domain name system (DNS) server is an example of an information system that provides name/address resolution service for local clients and authoritative DNS servers are examples of authoritative sources. NIST Special Publication 800-81 provides guidance on secure domain name system deployment.

Control Enhancements:

(1) The information system performs data origin authentication and data integrity verification on all resolution responses whether or not local clients explicitly request this service.

Enhancement Supplemental Guidance: Local clients include, for example, DNS stub resolvers.

Baseline: LOW Not Selected MOD Not Selected HIGH SC-21

Family: System And Communications Protection

Class: Technical

ISO 17799 mapping: None.

COBIT 4.1 mapping: None.

PCI-DSS v2 mapping: None.