Note: This is taken from Revision 3 of NIST Special Publication 800-53 (SP 800-53r3) published in August 2009.  As with all FISMA publications, it takes effect 12 months after publication (Aug/Sept 2010).

SC-8 Transaction Integrity

Text: The information system protects the integrity of transmitted information.

Who it applies to: Moderate and High

How it applies to DNS: This control covers DNS messaging such as zone transfers and dynamic updates. Following the recommendations in NIST SP800-81 on securing zone transfers and dynamic update using TSIG or SIG(0) would address this control with regards to the DNS. Using TSIG (or SIG(0)) allows for message authentication between a primary master server and secondary slave servers using as shared secret string and a one way hash function (or digital signature in the case of SIG(0)).

SC-20 Secure Name/Address Resolution Service (Authoritative Source)

Text Summary: The information system that provides name/address resolution service provides additional data origin and integrity artifacts along with the authoritative data it returns in response to resolution queries. Also, the system Provides the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace.

Who it applies to: Low, Moderate and High level systems (i.e. All levels)

How it applies to DNS: Data origin and integrity artifact basically means RRSIG RRs and DNSKEY RRs, so a primary authoritative server serving a signed zone would meet this control. Note that servers should also be configured to send signed responses when receiving DNSSEC-enabled queries. NIST SP800-81 contains guidance for zone administrators for setting up and maintaining signed zones.

The system must also provide a means for child zones to upload DS or DNSKEY information to the delegating parent in order to establish a secure delegation. Either within the organization or for delegations from the .gov TLD. Zone administrators will need to upload the DS RR information derived from their KSK to the interface in order to set up a secure delegation from .gov.

SC-21 Secure Name/Address Resolution Service (Recursive or Caching Service)

Text: The information system requests and performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.

Who it applies to: Low, Moderate and High level systems (i.e. All levels)

How it applies to DNS: This control basically states that a validating recursive caching server must attempt to perform validation on any DNSSEC enabled responses it receives and returning the appropriate response code (for DNSSEC, setting the Authenticated Data (AD) bit in the response header). This also means that the server administrator for these recursive caching servers maintain a trust anchor list for each server. There is no direct guidance on which public keys must be treated as trust anchors and it may be up to each organization's security policy as to which trust anchors should be maintained.

Mobile hosts (that are not part of the agency controlled LAN) must have a local validator on the system, or have a secure connection (e.g. VPN) back to a trusted DNSSEC validator.

SC-22: Architecture and Provisioning for Name/Address Resolution Service

Text: The information systems that collectively provide name/address resolution service for an organization are fault tolerant and implement role separation.

Who it applies to: Low, Moderate and High level systems (i.e. All levels)

How it applies to DNS: This control was designed to cover the current set of best common practices with regards to DNS server operation. This includes such things as maintaining secondaries for each zone, strict separation of authoritative and recursive caching roles (different servers for each role), restricting recursion for internal hosts via Access Control Lists (or similar methods), etc. NIST SP800-81 contains sections on best common practices for DNS server operation. There is an effort underway to provide SCAP content to automate this configuration and checklist auditing procedure.

Questions or comments should be sent to the SNIP admin

NIST is an agency of the U.S. Department of Commerce.

Privacy policy / security notice / accessibility statement / Disclaimer / Freedom of Information Act (FOIA) / Environmental Policy Statement / No Fear Act Policy / NIST Information Quality Standards / Scientific Integrity Summary

Date created 04/05/2012. Last updated 05/06/2015.