SFC - DNS Registrar

Is there a clearly designated person accountable for domain security? At minimum, accountability scope includes policy maintenance, security reviews, renewal management, access control oversight, and incident escalation.

Do you maintain a comprehensive inventory of all domains, including ownership, purpose, criticality classification (e.g., based on whether external-facing and whether users may transact funds), and expiration dates?

Do you document and maintain current configuration baselines for all domains? At minimum, baselines must include DNS record configurations, security settings (DNSSEC, CAA), and registrar account configurations.

Do you maintain a formal classification system for domains based on criticality, financial exposure, and operational impact?

Do you verify that your domains comply with their documented configuration baselines and classification requirements? Do you conduct periodic reviews at least annually to ensure domain configurations match documented standards?

Do you use a domain registrar that supports enterprise security features? At minimum, the registrar must support registry locks and hardware security key MFA, and should not have a history of social engineering vulnerabilities.

Do you manage access to domain registrar accounts, with documented procedures? At minimum, procedures must cover who is authorized to access, how access is granted and revoked, and role-based permissions where available.

Do you enforce multi-factor authentication requirements for all registrar and DNS management accounts?

Do you use a dedicated security contact email for domain management that is hosted on a different domain than your primary domain? At minimum, the email must not be a personal email address, must be used exclusively for domain security purposes, and must be an alias that notifies multiple people.

Do you conduct periodic access reviews for all personnel with domain management privileges? At minimum, access reviews must occur annually.

Do you have change management procedures for critical domain operations (transfers, deletions, nameserver changes) and DNS record modifications? At minimum, the relevant team members must be notified before critical changes, and all changes must be logged.

Do you configure DNS security settings (DNSSEC, CAA records, TTL policies), with documented standards?

Do you configure email authentication (SPF, DKIM, DMARC, MTA-STS), with documented standards?

Do you have procedures for monitoring and responding to DMARC reports and policy violations?

Do you implement domain locks (transfer locks, registry locks, EPP status codes), with documented procedures?

Do you have procedures for out-of-band verification of domain changes through registrar support channels?

Do you have procedures for TLS certificate lifecycle management, including issuance, renewal, revocation, and using CAA records to restrict certificate issuance?

Do you monitor for unauthorized DNS record changes across all domains (whether through your registrar, third-party services, or your own tools)? At minimum, monitoring must cover nameserver changes, A/AAAA record changes, MX record changes, CAA record removal, and DNSSEC status changes.

Do you monitor for specific indicators of DNS compromise (TTL changes, nameserver modifications, record anomalies), whether through your registrar, third-party services, or your own tools?

Do you have automated monitoring for Certificate Transparency logs to detect unauthorized certificate issuance? At minimum, subscribe to a CT monitoring service that sends alerts when certificates are issued for your domains.

Do you monitor your own domain registration status and lock settings for unauthorized changes (whether through your registrar, third-party services, or your own tools)? At minimum, regularly verify that registry locks remain active and registrar account settings are unchanged.

Do you monitor for and prevent domain expiration risks? At minimum, enable auto-renewal, set calendar reminders at 90/60/30/7 days before expiration, and ensure payment methods stay current.

Do you have incident response procedures for domain hijacking and DNS compromise? At minimum, procedures must cover key scenarios (registrar account compromise, DNS hijacking, unauthorized transfers), pre-documented emergency contacts for registrar security team and SEAL 911, and communication plan for warning users.

Do you maintain procedures for emergency registry lock activation to prevent unauthorized domain changes?

Do you have documented procedures for regaining control of compromised domains?

Do you maintain procedures for validating DNS record integrity after incident recovery?