The network element must provide additional data origin and integrity artifacts along with the authoritative data the system returns in response to name/address resolution queries.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000311-FW-NA	SRG-NET-000311-FW-NA	SRG-NET-000311-FW-NA_rule		Medium

Description
Per most sources, and NIST in particular, the underlying feature in the major threat associated with DNS forged responses or failures, is the integrity of the DNS data returned in the response. The principle of DNSSEC is to mitigate this threat by providing data origin authentication, establishing trust in the source. This control enables remote clients to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. The DNS security controls are consistent with, and referenced from, OMB Memorandum 08-23. This requirement would only be applicable to a DNS Server.

Description

Per most sources, and NIST in particular, the underlying feature in the major threat associated with DNS forged responses or failures, is the integrity of the DNS data returned in the response. The principle of DNSSEC is to mitigate this threat by providing data origin authentication, establishing trust in the source. This control enables remote clients to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. The DNS security controls are consistent with, and referenced from, OMB Memorandum 08-23. This requirement would only be applicable to a DNS Server.

STIG	Date
Firewall Security Requirements Guide	2012-12-10

Details

Check Text ( C-SRG-NET-000311-FW-NA_chk )
This requirement is NA for firewall. No fix required.

Fix Text (F-SRG-NET-000311-FW-NA_fix)
This requirement is NA for firewall. No fix required.