SC-21 Secure Name / Address Resolution Service (Recursive Or Caching Resolver)
Control: The information system that provides name/address resolution service for local clients performs data origin authentication and data integrity verification on the resolution responses it receives from authoritative sources when requested by client systems.
Supplemental Guidance: A resolving or caching domain name system (DNS) server is an example of an information system that provides name/address resolution service for local clients and authoritative DNS servers are examples of authoritative sources. NIST Special Publication 800-81 provides guidance on secure domain name system deployment.
Control Enhancements:
(1) The information system performs data origin authentication and data integrity verification on all resolution responses whether or not local clients explicitly request this service.
Enhancement Supplemental Guidance: Local clients include, for example, DNS stub resolvers.
Baseline: LOW Not Selected MOD Not Selected HIGH SC-21
Family: System And Communications Protection
Class: Technical
ISO 17799 mapping: None.
COBIT 4.1 mapping: None.
PCI-DSS v2 mapping: None.