Chip, In the US Federal Gov, we have the NIST SP 800-81 (http://csrc.nist.gov/publications/nistpubs/800-81r1/sp-800-81r1.pdf) and DISA Secure Template Implementation Guide (STIGs) (http://www.stigviewer.com/stigs). Not as comprehensive as what you describe, but covers what basic DNS admins should be aware of with the focus on security. Some things were considered too low level (like port randomization) and left out since the admin would likely assume it is baked into the implementation and not something they can configure.
STIGs are way lower level (i.e. command line cookbooks) used to train operators, but have some information as to the "why". and have a set of checks broken down by system classification (example, the "DNS Policy" checklist): http://www.stigviewer.com/stig/48ccf31b1a3c7aa12ee38de8ef3c08467003ebb0/MAC1PublicProfile/ It's some starting material that may be useful so you don't have to re-invent everything, Scott On Jun 14, 2013, at 11:07 AM, Chip Marshall wrote: > There was some talk at a recent meeting about establishing some > best practices for operating a DNS server. I'm curious if anyone > is running with this, and if not, if this would be a good forum > to start working on such a project. > > I know there are some IETF documents around best practices for > things like DNSSEC, but to the best of my knowledge there's not a > good repository for things like RRL, making sure your recursive > resolver isn't open, ensuring source port randomization (I know I > still see a lot of source 53 queries) and so on. > > -- > Chip Marshall <[email protected]> > http://2bithacker.net/ > <ATT00001><ATT00002.c> =================================== Scott Rose NIST [email protected] +1 301-975-8439 Google Voice: +1 571-249-3671 http://www.dnsops.gov/ =================================== _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
