SC-20 SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE)
Page last updated:
This control implies a requirement for secure domain name resolution, such as via the use of, e.g., DNSSEC, though no specific implementation choice is mandated.
The interpretation of this control for PCF is that name resolution must be divided into two parts: external to PCF, and internal to PCF.
For name resolution of any endpoints that are external to PCF, such as the UAA or Cloud Controller, the FQDN should be resolved using a trusted DNS service.
That trust in DNS may be based upon runtime integrity checking using approved cryptographic mechanisms, such as via DNSSEC. Alternatively, trust in the DNS name resolution service used by PCF clients may be based upon a combination of appropriately securing the DNS client endpoint configuration, and appropriately restricting access to the enterprise DNS name server itself.
Regardless of the mechanism chosen, compliance with the requirement for name resolution external to the platform is a deployer responsibility.
Internal to PCF, the platform jobs and services rely upon the BOSH director to manage VM configuration and name resolution is done through BOSH DNS. In earlier PAS releases Consul and/or etcd provided the equivalent service location capabilities.
For more information about BOSH DNS see: https://bosh.io/docs/dns/
Name resolution for applications deployed to PAS containers is configured via Diego.
For more information about how containers perform DNS lookups on a Diego Cell, see BOSH DNS Introduced Container DNS Behavior Changes in PAS 2.0 in the Pivotal Knowledge Base.
The information system:
- Provides additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and
- Provides the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace.
This control enables external clients including, for example, remote Internet clients, to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Information systems that provide name and address resolution services include, for example, domain name system (DNS) servers. Additional artifacts include, for example, DNS Security (DNSSEC) digital signatures and cryptographic keys. DNS resource records are examples of authoritative data. The means to indicate the security status of child zones includes, for example, the use of delegation signer resource records in the DNS. The DNS security controls reflect (and are referenced from) OMB Memorandum 08-23. Information systems that use technologies other than the DNS to map between host/service names and network addresses provide other means to assure the authenticity and integrity of response data.