Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Domain management and DNS control: what IAM teams are missing


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 11936
Topic starter  

TL;DR: Weak domain management can lead to outages, loss of control, and DNS-based abuse, while large organisations may own more than 3,000 domains and nearly one-third manage over 10,000, according to DigiCert and a 2025 GCD survey. The governance lesson is clear: domains behave like identity assets and need central ownership, access control, and lifecycle discipline.

NHIMG editorial — based on content published by DigiCert: The Importance of Domain Management

By the numbers:

Questions worth separating out

Q: How should organisations govern domain names as part of identity security?

A: Treat domains as governed assets with named owners, privileged registrar access, renewal controls, and logged DNS change management.

Q: Why do fragmented domain portfolios create security risk?

A: Fragmentation makes it easier to miss renewals, apply inconsistent security settings, and lose sight of who can change records.

Q: What should security teams check in DNS management controls?

A: Check whether changes are approved, whether sensitive records are monitored, whether DNSSEC is enabled where possible, and whether access is restricted to named administrators.

Practitioner guidance

  • Create a single authoritative domain inventory Track every domain, registrar, renewal date, DNS provider, delegated owner, and emergency contact in one governed record so gaps are visible before they become outages.
  • Lock registrar accounts down as privileged systems Require MFA, domain locking, and role-based access controls for registrar and DNS consoles, and review access logs as part of periodic privileged access review.
  • Harden DNS change control and integrity checks Use approval workflows for record changes, enable DNSSEC where supported, and monitor A, CNAME, MX, and TXT updates for drift or unauthorised modification.

What's in the full article

DigiCert's full blog covers the operational detail this post intentionally leaves for the source:

  • Specific DNS record types and why A, CNAME, MX, and TXT mistakes create different failure modes
  • Practical registrar and DNS control examples for teams managing large multi-domain portfolios
  • Operational guidance on locking, MFA, and renewal automation for day-to-day administration
  • Discussion of provider capabilities such as redundancy, failover, and DDoS mitigation

👉 Read DigiCert's analysis of domain management and DNS control →

Domain management and DNS control: what IAM teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11491
 

Domain management is really privileged identity governance for the internet-facing edge. A registrar account can change ownership, redirect traffic, and expose business-critical services, so it should be governed with the same seriousness as a high-value admin path. The article shows that domain assets fail when they are treated as administrative records rather than controlled identities. Practitioners should treat registrar and DNS access as privileged infrastructure.

A few things that frame the scale:

  • The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
  • Organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control, according to The State of Secrets in AppSec.

A question worth separating out:

Q: When does a domain lapse become a governance failure?

A: A lapse becomes a governance failure when no one owns renewal decisions, contact data, or escalation paths. At that point the organisation has turned an internet-facing asset into a recoverable liability for an outsider. Renewal should be managed as a lifecycle control with accountability, not as a calendar reminder.

👉 Read our full editorial: Domain management is becoming a security control, not just upkeep



   
ReplyQuote
Share: