Best Practice Resources
ICANN
ICANN has a large list of DNS resources online, including a section on DNSSEC
OCTO-029: DNSSEC Deployment Guidebook for ccTLDs
SAC-109: The Implications of DNS over HTTPS and DNS over TLS
SAC-105: The DNS and the Internet of Things: Opportunities, Risks, and Challenges
SAC-074: Best Practices for Preserving Security and Stability in the Credential Management Lifecycle
SAC-065: SSAC Advisory on DDoS Attacks Leveraging DNS Infrastructure
SAC0-49: SSAC Report on DNS Zone Risk Assessment and Management
SAC-015: Why Top Level Domains Should Not Use Wildcard Resource Records
SAC-005: DNS Infrastructure Recommendation
IETF
RFC 5358 Preventing Use of Recursive Nameservers in Reflector Attacks
- RFC 5625 DNS Proxy Implementation Guidelines
- RFC 6303 Locally Served DNS Zones
- RFC 6895 Domain Name System (DNS) IANA Considerations
- RFC 7720 DNS Root Name Service Protocol and Deployment Requirements
- RFC 8027 DNSSEC Roadblock Avoidance
- RFC 8499 DNS Terminology
- RFC 8932 Recommendations for DNS Privacy Service Operators
- RFC 9210 DNS Transport over TCP – Operational Requirements
DNS Privacy
IETF RFC 7858, Specification for DNS over Transport Layer Security (TLS) (ietf.org)
IETF RFC 8484, DNS Queries over HTTPS (DoH) (ietf.org)
How to: Deploy DoT and DoH with dnsdist (apnic.net)
Frequently Asked Questions | Public DNS from Google
Cloud DNS best practices for Google
Other Best Practices References
US Federal Government
NIST SP 800-81-2, Secure Domain Name System (DNS) Deployment Guide