VMware Tanzu Application Service Compliance

This control implies a requirement for secure domain name resolution, such as via the use of, e.g., DNSSEC, though no specific implementation choice is mandated.

The interpretation of this control for Tanzu Application Service (TAS for VMs) is that name resolution must be divided into two parts: external to TAS for VMs, and internal to TAS for VMs.

For name resolution of any endpoints that are external to TAS for VMs, such as the UAA or Cloud Controller, the FQDN should be resolved using a trusted DNS service.

That trust in DNS may be based upon runtime integrity checking using approved cryptographic mechanisms, such as via DNSSEC. Alternatively, trust in the DNS name resolution service used by TAS for VMs clients may be based upon a combination of appropriately securing the DNS client endpoint configuration, and appropriately restricting access to the enterprise DNS name server itself.

Regardless of the mechanism chosen, compliance with the requirement for name resolution external to the platform is a deployer responsibility.

Internal to TAS for VMs, the platform jobs and services rely upon the BOSH director to manage VM configuration and name resolution is done through BOSH DNS. In earlier Tanzu Application Service (TAS for VMs) releases Consul and/or etcd provided the equivalent service location capabilities.

For more information about BOSH DNS see: https://bosh.io/docs/dns/

Name resolution for applications deployed to TAS for VMs containers is configured via Diego.

Control Description

The information system:

1. Provides additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and
2. Provides the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace.

Supplemental Guidance

This control enables external clients including, for example, remote Internet clients, to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Information systems that provide name and address resolution services include, for example, domain name system (DNS) servers. Additional artifacts include, for example, DNS Security (DNSSEC) digital signatures and cryptographic keys. DNS resource records are examples of authoritative data. The means to indicate the security status of child zones includes, for example, the use of delegation signer resource records in the DNS. The DNS security controls reflect (and are referenced from) OMB Memorandum 08-23. Information systems that use technologies other than the DNS to map between host/service names and network addresses provide other means to assure the authenticity and integrity of response data.