Versions Compared

Old Version 8

changes.mady.by.user Steven Kim

Saved on

compared with

New Version 9

changes.mady.by.user Steven Kim

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. MUST: Authoritative zones must be DNSSEC signed and best practices for key management followed. ccTLD operators: see the ICANN DNSSEC guidebook for ccTLDs:
    https://www.icann.org/en/system/files/files/octo-029-12nov21-en.pdf
  2. MUST: Limit access to zone transfer between authoritative servers. Configure ACLs and TSIG in the DNS Authoritative software package to restrict zone transfers to secondary servers.
  3. MUST: Zone file Integrity.
    Some method of controlling the zone file’s integrity for any unexpected modifications (malicious or accidental) must be implemented. For static zones, this could for example be done using the ZONEMD (RFC8976) message digest and Resource Record, or existing revision control / versioning procedures, if those are implemented (see Host and Service security). If the zone is dynamic, and producing a message digest for the entire zone is impractical due to size or rate of change, revision control and versioning must enable auditing to narrow down when a given error or malicious change was introduced.

7. Customer-facing portals and services

...