DNS Registrar – Printable Checklist (SFC)

1. Governance & Domain Management

Domain Management Policies and Procedures

Do you maintain documented policies and procedures governing domain management operations?
Accountability for Domain Security

Is there a clearly designated person or team accountable for domain security (policy maintenance, security reviews, renewal management)?
Domain Inventory and Attributes

Do you maintain a comprehensive inventory of all domains including ownership, purpose, criticality classification, expiration dates, and relationships to business services/applications?
Current Configuration Baselines for Critical Domains

Do you document and maintain current configuration baselines for all critical domains (DNS records, security settings, registrar configurations)?

Notes:

Formal Domain Classification System

Do you maintain a formal classification system for domains based on criticality, financial exposure, and operational impact?
Mapping Domain Classifications to Controls

Do you map domain classifications to required security controls (monitoring frequency, approval requirements, backup procedures)?
Registrar and DNS Provider Security Criteria

Do you maintain security evaluation criteria for selecting domain registrars and DNS hosting providers?

Notes:

Procedures for Registrar Access

Do you maintain documented procedures for managing access to domain registrar accounts?
Multi-factor Authentication for Registrar Accounts

Do you enforce multi-factor authentication requirements for all registrar and DNS management accounts?
Dedicated Domain Security Contact Email

Do you maintain a separate, dedicated security contact email for domain management that is independent from your primary domain?
Periodic Access Reviews for Domain Privileges

Do you conduct periodic access reviews for all personnel with domain management privileges?
Approval Workflows for Critical Domain Operations

Do you maintain documented approval workflows for critical domain operations (transfers, deletions, nameserver changes)?

Notes:

DNS Security Configuration Standards

Do you maintain documented standards for DNS security configurations (DNSSEC, CAA records, TTL policies)?
Email Authentication Protocol Standards

Do you maintain documented standards for email authentication (SPF, DKIM, DMARC, MTA-STS)?
DMARC Monitoring and Response Procedures

Do you have procedures for monitoring and responding to DMARC reports and policy violations?
Documented Domain Lock Procedures

Do you maintain documented procedures for implementing domain locks (transfer locks, registry locks, EPP status codes)?
Out of Band Domain Change Verification

Do you have procedures for out-of-band verification of domain changes through registrar support channels?
TLS Certificate Lifecycle Management Procedures

Do you maintain documented procedures for TLS certificate lifecycle management, including issuance, renewal, revocation, and monitoring for expiration across all domains and services?

Notes:

Domain Registration Lifecycle Procedures

Do you maintain documented procedures for domain registration, renewal, decommissioning, and expiration prevention (auto-renewal, multiple reminders, backup payment methods)?
Secure Domain Transfer Procedures

Do you maintain documented procedures for secure domain transfers between registrars?
DNS Change Management Procedures

Do you maintain formal change management procedures for DNS record modifications?

Notes:

Continuous Monitoring for DNS Changes

Do you maintain continuous monitoring for unauthorized DNS record changes across all critical domains?
DNS Compromise Indicators Monitoring

Do you monitor for specific indicators of DNS compromise (TTL changes, nameserver modifications, record anomalies)?
Monitor Certificate Transparency Logs

Do you maintain procedures for monitoring Certificate Transparency logs for unauthorized certificate issuance?
Unauthorized Domain Registration Monitoring

Do you monitor domain registration status and registrar lock settings for unauthorized changes?
Detecting Domain Expiration Risks

Do you maintain procedures for detecting and responding to domain expiration risks?

Notes:

Domain Hijacking Incident Response

Do you maintain incident response procedures specific to domain hijacking and DNS compromise scenarios?
Registrar and DNS Emergency Contacts

Do you maintain emergency contact information for registrars and DNS hosting providers?
Emergency Registry Lock Activation

Do you maintain procedures for emergency registry lock activation to prevent unauthorized domain changes?
Regaining Control of Compromised Domains

Do you have documented procedures for regaining control of compromised domains?
DNS Record Integrity Validation Procedures

Do you maintain procedures for validating DNS record integrity after incident recovery?

Notes: