Skip to content

SFC - DNS Registrar

The SEAL Framework Checklist (SFC) for DNS Registrar provides best practice for securely managing domain names and DNS configurations.

For more details on certifications or self-assessments, refer to the Certification Guidelines.

Print

Section 1: Governance & Domain Management

0/2
Domain Security Owner
Is there a clearly designated person or team accountable for domain security?
Baseline Requirements
  • Accountability scope covers policy maintenance, security reviews, renewal management, access control oversight, and incident escalation
Domain Inventory and Documentation
Do you maintain a complete, current record of all your domains and their configurations?
Baseline Requirements
  • Registry includes domain name, ownership, purpose, expiration date, registrar, DNS record configurations, security settings (DNSSEC, CAA), and registrar account configurations
  • Accessible to relevant team members

Section 2: Risk Assessment & Classification

0/2
Domain Classification and Compliance
Do you classify your domains by risk level and verify they meet the security requirements for their classification?
Baseline Requirements
  • Classification considers criticality, financial exposure, and operational impact
  • Domains where users may transact funds or that are external-facing classified at the highest tier
  • Each classification maps to specific security requirements (DNSSEC, locks, monitoring frequency, access controls)
  • Compliance verified at least annually through configuration review against documented standards
Enterprise Registrar Security Requirements
Do you use a registrar with enterprise-grade security for your critical domains?
Baseline Requirements
  • Registrar supports registry locks (server-level EPP locks)
  • Registrar supports hardware security key MFA (FIDO2/WebAuthn)
  • Registrar has no history of social engineering vulnerabilities
  • Due diligence includes checking ICANN compliance notices for the registrar

Section 3: Access Control & Authentication

0/3
Registrar Access Control
Do you control and secure access to domain registrar and DNS management accounts?
Baseline Requirements
  • Documented who is authorized, how access is granted/revoked, and role-based permissions where available
  • Hardware security key MFA (FIDO2/WebAuthn) required for all registrar and DNS management accounts
  • Access reviews conducted at least annually
  • Access revoked promptly when no longer needed
Dedicated Domain Security Contact Email
Is your domain security contact email independent of the domains it protects?
Baseline Requirements
  • Hosted on a different domain than any domain it's responsible for
  • Not a personal email address
  • Used exclusively for domain security purposes
  • Alias that notifies multiple people
Change Management for Domain Operations
Do you have change management procedures for critical domain operations?
Baseline Requirements
  • Covers transfers, deletions, nameserver changes, and DNS record modifications
  • Relevant team members notified before critical changes
  • All changes logged
  • Critical changes verified through out-of-band confirmation with the registrar

Section 4: Technical Security Controls

0/4
DNS Security Standards
Do you enforce DNS security standards across all your domains?
Baseline Requirements
  • DNSSEC enabled and validated on all critical domains
  • CAA records configured to restrict certificate issuance to authorized CAs only
  • TTL policies documented with rationale
  • Standards applied consistently based on domain classification
Email Authentication Standards
Do you enforce email authentication standards and monitor for violations?
Baseline Requirements
  • SPF, DKIM, and DMARC configured for all domains that send email
  • DMARC policy set to reject for domains actively sending email
  • DMARC aggregate reports (rua) monitored and reviewed
  • MTA-STS configured where supported to enforce encrypted email transport
  • Domains that don't send email have SPF/DMARC records that reject all email
Domain Lock Implementation
Do you use domain locks to prevent unauthorized transfers and changes?
Baseline Requirements
  • Registry locks (server-level EPP locks) enabled for all critical domains where supported
  • Transfer locks enabled on all domains
  • Lock status verified periodically
TLS Certificate Lifecycle Management
Do you manage the full lifecycle of your TLS certificates?
Baseline Requirements
  • Covers issuance, renewal, and revocation procedures
  • Certificates tracked with expiration alerts
  • Automated renewal where possible
  • Revocation procedures documented for compromised certificates

Section 5: Monitoring & Detection

0/3
Domain and DNS Monitoring
Do you monitor your domains for unauthorized changes to DNS records, registration status, and security settings?
Baseline Requirements
  • DNS record monitoring covers nameserver (NS) changes, A/AAAA changes, MX changes, TXT/SPF/DMARC changes, CAA record removal, DNSSEC status changes, and unexpected TTL drops
  • Registration monitoring covers lock status, registrar account settings, and nameserver delegation
  • Alerting and escalation paths documented
  • Critical alerts (nameserver changes, DNSSEC failure, registrar changes) trigger immediate investigation
  • Monitoring infrastructure not dependent on the domains being monitored
Certificate Transparency Monitoring
Do you monitor Certificate Transparency logs for unauthorized certificates issued for your domains?
Baseline Requirements
  • Subscribed to a CT monitoring service that alerts on new certificate issuance
  • Alerts reviewed and unauthorized certificates investigated promptly
  • Wildcard certificates flagged if not expected
Domain Expiration Prevention
Do you actively prevent domain expiration?
Baseline Requirements
  • Auto-renewal enabled on all domains
  • Calendar reminders at 90, 60, 30, and 7 days before expiration
  • Payment methods verified current
  • Backup person designated for renewal responsibility

Section 6: Incident Response

0/2
Alerting and Emergency Contacts
Do you have alerting and emergency contacts in place for domain security incidents?
Baseline Requirements
  • Alerting system in place to notify relevant stakeholders when a potential compromise is detected
  • Emergency contacts pre-documented including registrar security team, SEAL 911, and legal counsel
  • Communication plan for warning users (status page, social media, in-app warnings)
Domain Incident Response Plan
Do you have an incident response plan for domain hijacking and DNS compromise?
Baseline Requirements
  • Covers key scenarios including registrar account compromise, DNS hijacking, and unauthorized transfers
  • Emergency registry lock activation procedures
  • Procedures for regaining control of compromised domains
  • Post-recovery validation including DNS records verified against known-good baseline, all credentials reset, and access logs reviewed
  • Plan tested at least annually (can be combined with broader IR drills)