TL;DR: Managed DNS is presented as a way to improve website performance, preserve availability during failures, and strengthen DNS integrity with DNSSEC, according to DigiCert. The underlying governance issue is that DNS reliability and authenticity are now identity-adjacent control points, not just infrastructure concerns.
At a glance
What this is: This is a DigiCert blog post arguing that managed DNS helps enterprise domains improve performance, maintain availability, and protect DNS integrity with DNSSEC.
Why it matters: It matters because DNS is a trust and continuity dependency for IAM, NHI, and broader identity programmes when services, certificates, and workloads rely on reachable, authentic endpoints.
👉 Read DigiCert's blog on managed DNS for performance, security, and availability
Context
Managed DNS is the operational layer that routes users and systems to the right endpoint, even when parts of the environment fail. In identity-heavy environments, that routing layer matters because authentication, service discovery, and application reachability all depend on DNS behaving consistently and honestly.
The article’s core point is that availability and authenticity are now part of the same control problem. If DNS can be hijacked, altered, or made unavailable, identity-dependent services inherit the failure, whether the subject is a human login flow, an NHI-backed application, or an autonomous service path.
Key questions
Q: How should security teams govern DNS for identity-dependent applications?
A: Treat DNS as part of the access path, not just as infrastructure plumbing. Security teams should identify the domains that support sign-in, service discovery, certificate validation, and API reachability, then require change control, failover testing, and integrity checks on those records. If DNS fails, the identity journey fails with it.
Q: Why does DNSSEC matter for identity and access management?
A: DNSSEC matters because it helps verify that DNS answers have not been altered before a user or workload reaches the target service. That integrity matters for IAM because authentication flows, federated services, and machine-to-machine connections often begin with a DNS lookup. Without it, trust can be redirected before any identity control is applied.
Q: What breaks when managed DNS has no failover plan?
A: When managed DNS has no failover plan, critical services can become unreachable even if the application itself is healthy. That can interrupt logins, service discovery, and API calls, which makes the outage look like an identity or application problem when the root cause is name resolution. Availability must be tested, not assumed.
Q: What frameworks help teams align DNS resilience with security governance?
A: The NIST Cybersecurity Framework 2.0 is a useful starting point because it ties identify, protect, detect, respond, and recover together. Teams should map DNS ownership and recovery requirements into those functions so that authenticity and availability are treated as governed controls rather than separate operational tasks.
Technical breakdown
Managed DNS and application availability
Managed DNS centralises query handling so traffic can be balanced across servers and redirected when one path degrades. In practice, that means enterprises can reduce single points of failure by using secondary DNS and failover logic to keep records resolvable during outages. The value is not only speed, but continuity under stress. For security and identity teams, that continuity matters because authentication endpoints, certificate validation paths, and service dependencies all assume DNS resolution works when needed.
Practical implication: map business-critical identity and application flows to DNS failover dependencies and test how quickly they recover when primary infrastructure is unavailable.
DNSSEC and protection against hijacking
DNSSEC adds a cryptographic layer to DNS responses so resolvers can verify that records were not altered in transit. It does not encrypt DNS traffic, but it does help prevent unauthorized modification and certain hijacking scenarios by validating authenticity and integrity. That makes it a governance control as much as a technical one, because it protects the trust relationship between the client and the record source. For identity programmes, that trust relationship is foundational to reaching login pages, APIs, and federated services safely.
Practical implication: treat DNSSEC as an integrity control for identity-relevant domains and verify that signing, key management, and validation are actually enabled.
Why DNS now sits close to identity security
DNS sits near identity because many access journeys begin with a name lookup before any authentication step occurs. If the lookup is wrong, delayed, or tampered with, the rest of the trust chain is already compromised. That is why managed DNS should be read as part of the wider control plane for enterprise trust, not as a standalone network utility. The article implicitly points to a broader lesson: resilience, authenticity, and availability need to be governed together when services underpin human and machine access alike.
Practical implication: include DNS ownership, failover, and integrity checks in identity architecture reviews rather than leaving them only to network operations.
NHI Mgmt Group analysis
Managed DNS is now an identity-adjacent control, not just an uptime tool. The article frames DNS availability and DNS integrity as business essentials, but the deeper lesson is that authentication journeys depend on DNS behaving correctly before an identity control ever fires. That makes DNS a prerequisite trust layer for human IAM, NHI service access, and workload reachability. Practitioners should stop treating DNS as background infrastructure and govern it as part of the access path.
DNSSEC addresses record authenticity, but it does not solve governance drift. DNSSEC can protect against tampering and hijacking, yet the article also shows how quickly resilience depends on operational discipline around secondary DNS, failover, and record management. The failure mode is not just attack resistance, but the assumption that DNS integrity is automatically preserved across every domain and provider. Practitioners should validate where integrity is actually enforced, not where it is merely expected.
Managed DNS exposes a broader identity trust boundary: reachable does not mean trustworthy. Enterprises often certify application access without examining whether the naming layer that leads to the application is protected to the same standard. That gap matters for federated login, API calls, and machine-to-machine services that silently trust DNS results. The practical conclusion is that identity governance and network governance now intersect at the resolution layer.
High availability and security need to be designed together, because one without the other creates false confidence. The article’s combination of load balancing, failover, and DNSSEC is a reminder that continuity controls can widen exposure if integrity controls are missing, and integrity controls are ineffective if availability is ignored. For practitioners, the governance question is not whether DNS is managed, but whether it is managed as a trusted access dependency.
For NHI programmes, DNS failures can look like credential failures even when the root cause is routing. Workload identity, service discovery, and API communications often depend on DNS resolution to reach token endpoints, certificate services, and downstream applications. When those paths fail, teams can misdiagnose the incident as identity instability. Practitioners should include DNS in troubleshooting and control mapping for every non-human access path.
From our research:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, with 38% having no or low visibility and a further 47% having only partial visibility, according to The State of Non-Human Identity Security.
- Another finding from The State of Non-Human Identity Security shows that only 1.5 out of 10 organisations are highly confident in securing NHIs, which is a useful benchmark when evaluating any identity-adjacent dependency.
- For broader governance context, the NHI Lifecycle Management Guide helps teams translate visibility gaps into ownership, rotation, and offboarding controls.
What this signals
DNS governance will increasingly be evaluated alongside identity governance. As more access paths depend on managed DNS, teams should expect architecture reviews to ask who owns critical zones, how failover is tested, and whether integrity controls are enforced consistently. DNS visibility gaps are becoming trust gaps, especially where human access and NHI access share the same endpoint.
Reachability is not a security control. A domain can stay online while its trust properties degrade, which means operational dashboards can look healthy while identity paths are already exposed to hijack or misdirection. Teams should separate uptime monitoring from integrity monitoring and track both in one governance view.
The article points to a named concept worth tracking: identity-path DNS dependency. That is the point where naming, routing, and trust become inseparable from access governance, and it is where resilience planning should begin for services that support human login flows and machine access alike.
For practitioners
- Inventory identity-dependent DNS paths Document which login, API, certificate, and service discovery flows depend on specific DNS zones, resolvers, and failover records. Prioritise the domains that would interrupt human sign-in or workload authentication if they became unavailable.
- Enable DNSSEC on critical domains Sign the zones that support user access, machine access, and externally reachable services. Confirm that validation is working end to end, and test that key rollover and record changes do not break service continuity.
- Test secondary DNS and failover recovery Run failure exercises that force DNS switchover and confirm that applications, authentication endpoints, and API consumers continue resolving correctly. Measure recovery time against business expectations, not network convenience.
- Add DNS to identity governance reviews Include DNS ownership, change control, and integrity checks in architecture and access reviews for systems that support human IAM or NHI access. This prevents the naming layer from being treated as outside the trust model.
Key takeaways
- Managed DNS is a trust dependency for identity-dependent services, not merely a performance layer.
- DNSSEC improves record integrity, but governance still has to cover ownership, failover, and validation end to end.
- Identity programmes should include DNS in architecture reviews because reachability, authenticity, and access are now tightly coupled.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | DNS integrity affects how trusted access paths are reached. |
| NIST CSF 2.0 | PR.PT-5 | Protective technology includes resilient and validated naming services. |
| NIST Zero Trust (SP 800-207) | PR.AC | Zero trust depends on trusted resolution of services before access decisions occur. |
Map DNS dependencies to access control flows and verify authenticity before authentication begins.
Key terms
- Managed DNS: Managed DNS is a service model where an external or centralised provider handles authoritative DNS operations, routing, and resilience functions for a domain. In practice, it reduces operational burden while creating a governance dependency on the provider’s availability, change control, and integrity controls.
- DNSSEC: DNSSEC is a set of extensions that lets resolvers verify DNS record authenticity using cryptographic signatures. It does not hide DNS data, but it does help prevent tampering and redirection, which matters when applications, identities, and workloads depend on trusted name resolution.
- Secondary DNS: Secondary DNS is a redundant authoritative DNS service that can answer queries if the primary service fails. It is a continuity control, but it only improves resilience when the secondary path is tested, kept in sync, and governed as part of the access architecture.
- Identity-adjacent control: An identity-adjacent control is a technical dependency that sits outside a formal IAM platform but still affects how identity journeys work. DNS, certificate services, and endpoint routing are common examples because they shape whether authentication, federation, and workload access can occur safely.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or programme maturity, it is worth exploring.
This post draws on content published by DigiCert: Best Enterprise DNS in Johannesburg, South Africa. Read the original.
Published by the NHIMG editorial team on 2026-06-17.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
