Back on April 10, I mentioned that the U.S. National Institute of Standards and Technology, or NIST, had released a draft of a new version of their venerable “Secure Domain Name System (DNS) Deployment Guide,” called NIST SP 800-81 for short. Well, 800-81r3 has just been published as an official set of recommendations and best practices.
As I said back in April, SP 800-81 has been a mainstay of the DNS community since its original publication back in 2006. DNS administrators have turned to it ever since for guidance on how to securely configure and manage their DNS infrastructure. But the latest update was in 2013, too far back to include important developments in the World of DNS (yes, there is such a thing) such as Protective DNS and Encrypted DNS.
I’m very proud to say that my colleague Ross Gibson and I had a hand in this new version. We approached Scott Rose, who’s written every version of SP 800-81 since the beginning, and asked if he’d be interested in an update. Scott was amenable, and together, the three of us added what I feel is important new material on when and how to deploy Protective DNS (hint: nearly always) and Encrypted DNS. We also added a great deal of specific material on the litany of threats to DNS and how to address them, covered DNS hygiene, recommended dedicated DNS servers and much more.
If you’re wondering how this NIST document might affect you, the SP 800 series provides guidance, but some documents in the series are incorporated into regulatory frameworks. For example, the European NIS2 Directive refers to NIST SP 800-81 for its best practices for secure DNS deployment.
Our hope is that this update will continue the long tradition of SP 800-81 as a critical resource for DNS administrators. To understand what SP 800‑81r3 means in practice, read the NIST DNS Security Best Practices: Top 5 Takeaways blog or download your copy today.
Footnotes
- If this accounting of the changes seems overly high-level, never fear: Ross is right on my heels with a blog on the details of the update.
