home || catalog: SP800-53rev3 / class: Technical / family: (SC) System and Communications Protection ||
search controls:
search nistpubs:

AC
AT
AU
CA
CM
CP
IA
IR
MA
MP
PE
PL
PM
PS
RA
SA
SC

SC-01
SC-02
SC-03
SC-04
SC-05
SC-06
SC-07
SC-08
SC-09
SC-10
SC-11
SC-12
SC-13
SC-14
SC-15
SC-16
SC-17
SC-18
SC-19
SC-20
SC-21 *
SC-22
SC-23
SC-24
SC-25
SC-26
SC-27
SC-28
SC-29
SC-30
SC-31
SC-32
SC-33

SI
MMMMM

  SC-21: Secure Name/Address Resolution Service (Recursive or Caching Resolver)  

base control objective:
The information system performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources when requested by client systems.

supplemental objective information:
A recursive resolving or caching domain name system (DNS) server is an example of an information system that provides name/address resolution service for local clients. Authoritative DNS servers are examples of authoritative sources. Information systems that use technologies other than the DNS to map between host/service names and network addresses provide other means to enable clients to verify the authenticity and integrity of response data.

enhancements to the base objective:

(1) The information system performs data origin authentication and data integrity verification on all resolution responses whether or not local clients explicitly request this service.
Enhancement Supplemental Guidance: Local clients include, for example, DNS stub resolvers.

mapping to FIPS199 baseline:

  LOW: null     MOD: null     HIGH: base  

related (regimented) controls:

None.

documents referenced in SP800-53rev3 for SC-21:

Document Date Status Title
NIST SP800-81 August, 2010 current   Secure Domain Name System (DNS) Deployment Guide

Search SP800-53rev3 catalog: