SC-20—Secure Name/address Resolution Service (authoritative Source)
>Control Description
Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and
Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace.
>DoD Impact Level Requirements
Additional Requirements and Guidance
SC-20 Requirement: Control Description should include how DNSSEC is implemented on authoritative DNS servers to supply valid responses to external DNSSEC requests. SC-20 Requirement: Authoritative DNS servers must be geolocated in accordance with SA-9 (5). SC-20 Guidance: SC-20 applies to use of external authoritative DNS to access a CSO from outside the boundary. SC-20 Guidance: External authoritative DNS servers may be located outside an authorized environment. Positioning these servers inside an authorized boundary is encouraged. SC-20 Guidance: CSPs are recommended to self-check DNSSEC configuration through one of many available analyzers such as Sandia National Labs (https://dnsviz.net)
>Discussion
Providing authoritative source information enables external clients, including remote Internet clients, to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Systems that provide name and address resolution services include domain name system (DNS) servers. Additional artifacts include DNS Security Extensions (DNSSEC) digital signatures and cryptographic keys.
Authoritative data includes DNS resource records. The means for indicating the security status of child zones include the use of delegation signer resource records in the DNS. Systems that use technologies other than the DNS to map between host and service names and network addresses provide other means to assure the authenticity and integrity of response data.
>Programmatic Queries
Related Services
CLI Commands
aws route53 get-dnssec --hosted-zone-id ZONE_IDaws route53 list-hosted-zones --query 'HostedZones[*].{Id:Id,Name:Name,Private:Config.PrivateZone}'aws route53 list-hosted-zone-dns-sec --hosted-zone-id ZONE_IDaws route53 get-dnssec --hosted-zone-id ZONE_ID --query 'Status.{Status:ServeSignature}'>Related Controls
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What policies govern the implementation of secure name/address resolution service (authoritative source)?
- •How are system and communications protection requirements defined and maintained?
- •Who is responsible for configuring and maintaining the security controls specified in SC-20?
- •What is your cryptographic key management policy?
Technical Implementation:
- •How is secure name/address resolution service (authoritative source) technically implemented in your environment?
- •What systems, tools, or configurations enforce this protection requirement?
- •How do you ensure that secure name/address resolution service (authoritative source) remains effective as the system evolves?
- •What network boundary protections are in place (firewalls, gateways, etc.)?
- •What encryption mechanisms and algorithms are used to protect data?
Evidence & Documentation:
- •What documentation demonstrates the implementation of SC-20?
- •Can you provide configuration evidence or system diagrams showing this protection control?
- •What logs or monitoring data verify that this control is functioning correctly?
- •Can you provide network architecture diagrams and firewall rulesets?
- •Can you demonstrate that FIPS 140-2 validated cryptography is used?
Ask AI
Configure your API key to use AI features.