There are two types of best practices for operators of authoritative servers for Second Level Domains (SLDs) that do not operate critical zones: DNS security, and DNS availability and resilience. In addition to these two categories specific to the core DNS, all operators must pay careful attention to practices related to hardening their core system security.
Authoritative zones MUST be DNSSEC signed and best practices for key management MUST be followed.
Access to zone transfer between authoritative servers MUST be limited. Configure ACLs and TSIG in the DNS Authoritative software package to restrict zone transfers to secondary servers.
Zone file integrity MUST be controlled to avoid unexpected modifications (malicious or accidental).
Authoritative and recursive DNS service MUST NOT coexist on the same DNS server. In the context of authoritative servers, this means you MUST disable recursive DNS resolution on servers configured to serve authoritative DNS data (if the software allows running both authoritative and recursive at the same time).
At least two distinct nameservers MUST be used for any given zone with diversity in operational and geographical practices in mind.
- All the authoritative servers for a given zone MUST NOT be placed on the same subnet
- All the authoritative servers for a given zone MUST be in different physical locations (not the same rack, room, city or country).
Monitoring of the services, servers, and network equipment that make up your DNS infrastructure MUST be implemented.