| "Non-discretionary access control policies that may be implemented by organizations include Attribute-Based Access Control, Mandatory Access Control, and Originator Controlled Access Control. Non-discretionary access control policies may be employed by organizations in addition to the employment of discretionary access control policies.
The primary objective of DNS authentication and access control is the integrity of DNS records; only authorized personnel must be able create and modify resource records, and name servers should only accept updates from authoritative master servers for the relevant zones. Integrity is best assured through authentication and access control features within the name server software, though firewalls also play a significant role in controlling DNS transactions on a network.
In DNS there are numerous access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) that are employed to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, domains). Access controls provide protection to the data and resources of the DNS. Access control mechanisms must be in place to protect the name server configuration files and permissions on the name server configuration file must be limited to only the named daemon/executables or the administrator to prevent an adversary from obtaining or changing DNS data.
DNS must enforce these non-discretionary access control policies over the name service daemon/executables and associated configuration files to ensure data protection and integrity of the DNS infrastructure.
Non-discretionary access controls are employed at the name server configuration file and executable level to restrict and control access to the DNS infrastructure, thereby providing increased information security for the organization. |
