There are two types of best practices for operators of authoritative servers for critical zones: DNS security, and DNS availability and resilience. In addition to these two categories specific to the core DNS, all operators must pay careful attention to practices related to hardening their core system security.
Authoritative zones MUST be DNSSEC signed and best practices for key management MUST be followed.
Access to zone transfer between authoritative servers MUST be limited. Configure ACLs and TSIG in the DNS Authoritative software package to restrict zone transfers to secondary servers only.
Zone file integrity MUST be controlled to avoid unexpected modifications (malicious or accidental).
Authoritative and recursive DNS service MUST NOT coexist on the same DNS server. In the context of authoritative servers, this means you MUST disable recursive DNS resolution on servers configured to serve authoritative DNS data (if the software allows running both authoritative and recursive at the same time).
At least two distinct nameservers MUST be used for any given zone. Note that this is usually a requirement when registering domain names in most TLDs (gTLD, ccTLD, …).
There MUST be diversity in the authoritative operations to promote resilience. This MUST cover one or more of the practices below:
- Software Diversity: For a given zone, make sure all published nameservers aren’t running the same authoritative DNS software package and version.
- Network Diversity: For a given zone, make sure all authoritative servers are not placed within the same Autonomous System (AS) or within the same subnet.
- Geographical Diversity: For a given zone, make sure all the authoritative servers are in different physical locations (not the same rack and room or city, region, or country).
Monitoring of the services, servers, and network equipment that make up your DNS infrastructure MUST be implemented.