SC-20 / SC-21 / SC-23 NIST SP 800-81-2 Rev 1

DNSSEC enabled on primary domains

Demonstrate that DNSSEC is properly configured and operationally active on all primary organizational domains with valid digital signatures and an unbroken chain of trust to the root zone.

Description

What this control does

DNSSEC (Domain Name System Security Extensions) is a suite of cryptographic protocols that adds digital signature layers to DNS records, enabling resolvers to verify the authenticity and integrity of DNS responses. When enabled on primary organizational domains, DNSSEC prevents attackers from forging or tampering with DNS query responses through cache poisoning or man-in-the-middle attacks. This control requires that authoritative nameservers publish signed DNS records (RRSIG, DNSKEY, DS) and that the chain of trust extends from the root zone through the parent domain to the organization's zone.

Control objective

What auditing this proves

Demonstrate that DNSSEC is properly configured and operationally active on all primary organizational domains with valid digital signatures and an unbroken chain of trust to the root zone.

Associated risks

Risks this control addresses

DNS cache poisoning attacks redirecting users to attacker-controlled infrastructure without detection
Man-in-the-middle interception of DNS queries allowing credential harvesting or malware distribution through fraudulent domain resolution
Domain hijacking through BGP hijacking or DNS resolver compromise that redirects legitimate traffic to malicious endpoints
Email security bypass where attackers redirect MX records to intercept or manipulate organizational email communications
Loss of customer or partner trust due to successful phishing campaigns leveraging DNS manipulation of organizational domains
Inability to detect unauthorized DNS record modifications by insider threats or compromised DNS management accounts

Testing procedure

How an auditor verifies this control

Obtain the complete inventory of primary organizational domains including apex domains, critical subdomains, and externally facing service domains from DNS management system or asset register
Query each primary domain using dig or dnssec-validation tools to identify presence of DNSKEY and RRSIG records in authoritative nameserver responses
Verify the DS (Delegation Signer) records exist in the parent zone for each domain by querying the parent nameserver directly
Validate the complete chain of trust from root zone through TLD to organizational domain using DNSSEC validation tools such as DNSViz or Verisign DNSSEC Analyzer
Test signature validity by confirming RRSIG expiration dates are current and keys have not expired or been revoked
Review DNS zone configuration files or management console settings to confirm DNSSEC signing is enabled with appropriate algorithm selection (RSASHA256 or ECDSAP256SHA256 minimum)
Interview DNS administrators to verify key rollover procedures, monitoring of signature expiration, and incident response processes for DNSSEC validation failures
Perform negative testing by attempting DNS queries through DNSSEC-validating resolvers to confirm invalid signatures are properly rejected

Evidence required Configuration exports from authoritative DNS servers showing DNSSEC signing enabled with algorithm specifications and key rotation schedules. Output from DNSSEC validation tools (DNSViz reports, dig +dnssec query results) demonstrating valid RRSIG, DNSKEY, and DS records with unbroken chain of trust for all sampled domains. Screenshots or logs from DNS management platforms showing active DNSSEC status and signature expiration monitoring.

Pass criteria All primary organizational domains return valid DNSSEC signatures with complete chain of trust to root zone, no expired keys or signatures exist, and DS records are properly published in parent zones.

Where this control is tested

Audit programs including this control

DNS & Email Hygiene

SPF, DKIM, DMARC, DNSSEC and recursive-resolver hardening — the basics of internet plumbing you probably forgot to check.