TL;DR: Managed DNS with DNSSEC, secondary DNS, and failover aims to reduce hijack risk and preserve availability for global domains by strengthening DNS integrity and resilience, according to DigiCert. For identity and access teams, DNS remains part of the trust boundary because outages and tampering can disrupt authentication, service reachability, and delegated access flows.
NHIMG editorial — based on content published by DigiCert: Enterprise DNS for Stockholm, Sweden Managed DNS
Questions worth separating out
Q: How should security teams include DNS in identity resilience planning?
A: Security teams should treat DNS as a trust dependency for authentication, federation, and API access.
Q: Why does DNSSEC matter for IAM and workload access?
A: DNSSEC matters because it helps verify that DNS records have not been altered before they reach the resolver.
Q: What breaks when managed DNS is unavailable during an outage?
A: When managed DNS is unavailable, users and workloads may lose the ability to reach sign-in pages, APIs, and other trusted endpoints even if the underlying applications are still running.
Practitioner guidance
- Inventory DNS dependencies for identity services Map every authentication portal, federation endpoint, token service, API host, and certificate-related lookup that depends on authoritative DNS.
- Test failover for critical identity domains Simulate primary DNS loss and verify that secondary DNS continues to resolve the domains used by sign-in, workload access, and customer-facing services.
- Validate DNSSEC operation end to end Check that critical zones are signed, validation is enabled where supported, and key rotation procedures are documented.
What's in the full article
DigiCert's full blog covers the operational detail this post intentionally leaves for the source:
- Managed DNS positioning for Stockholm-based and globally distributed organisations
- The specific performance and resilience framing around load balancing, CDN integration, and failover
- The DNSSEC and secondary DNS messaging as presented by DigiCert
- The product-oriented close on DigiCert DNS Trust Manager and managed DNS deployment context
👉 Read DigiCert's blog on managed DNS, DNSSEC, and high availability →
Managed DNS and DNSSEC: what practitioners need to watch?
Explore further
DNS is an identity dependency, not just a delivery layer. Managed DNS determines whether users and machines can even reach the services that enforce trust. For IAM teams, that means routing integrity and endpoint availability belong in the same governance conversation as authentication and access policy. Practitioners should treat DNS as part of the identity control surface, not as background plumbing.
A few things that frame the scale:
- Companies are dedicating an average of 32.4% of their security budgets to secrets management and code security, with US organisations leading at 40.8%, according to The State of Secrets in AppSec.
- Organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control.
A question worth separating out:
Q: How do organisations decide between DNSSEC and failover controls?
A: They should not treat DNSSEC and failover as alternatives. DNSSEC protects record integrity, while failover protects availability. Organisations need both if they want name resolution to remain trustworthy and reachable under attack or infrastructure failure.
👉 Read our full editorial: Managed DNS and DNSSEC reduce availability and hijack risk