Domain management and DNS control: what IAM teams are missing

TL;DR: Weak domain management can lead to outages, loss of control, and DNS-based abuse, while large organisations may own more than 3,000 domains and nearly one-third manage over 10,000, according to DigiCert and a 2025 GCD survey. The governance lesson is clear: domains behave like identity assets and need central ownership, access control, and lifecycle discipline.

NHIMG editorial — based on content published by DigiCert: The Importance of Domain Management

By the numbers:

• more than half (56%) of respondents from large companies reported owning more than 3,000 domains
• nearly one-third (29%) reported managing more than 10,000 domains

Questions worth separating out

Q: How should organisations govern domain names as part of identity security?

A: Treat domains as governed assets with named owners, privileged registrar access, renewal controls, and logged DNS change management.

Q: Why do fragmented domain portfolios create security risk?

A: Fragmentation makes it easier to miss renewals, apply inconsistent security settings, and lose sight of who can change records.

Q: What should security teams check in DNS management controls?

A: Check whether changes are approved, whether sensitive records are monitored, whether DNSSEC is enabled where possible, and whether access is restricted to named administrators.

Practitioner guidance

• Create a single authoritative domain inventory Track every domain, registrar, renewal date, DNS provider, delegated owner, and emergency contact in one governed record so gaps are visible before they become outages.
• Lock registrar accounts down as privileged systems Require MFA, domain locking, and role-based access controls for registrar and DNS consoles, and review access logs as part of periodic privileged access review.
• Harden DNS change control and integrity checks Use approval workflows for record changes, enable DNSSEC where supported, and monitor A, CNAME, MX, and TXT updates for drift or unauthorised modification.

What's in the full article

DigiCert's full blog covers the operational detail this post intentionally leaves for the source:

• Specific DNS record types and why A, CNAME, MX, and TXT mistakes create different failure modes
• Practical registrar and DNS control examples for teams managing large multi-domain portfolios
• Operational guidance on locking, MFA, and renewal automation for day-to-day administration
• Discussion of provider capabilities such as redundancy, failover, and DDoS mitigation

👉 Read DigiCert's analysis of domain management and DNS control →

Domain management and DNS control: what IAM teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →