ISPs should use Domain Name System (DNS) Security Extensions (DNSSEC) to protect the DNS. ISPs should consider, at a minimum, the following:
sign and regularly test the validity of their own DNS zones,
routinely validate the DNSSEC signatures of other zones;
employ automated methods to routinely test DNSSEC-signed zones for DNSSEC signature validity.
|Industry Role(s)||Service Provider|
|Keyword(s)||Cyber Security;Encryption;Intrusion Detection;|
|Reference/Comments||More information can be found at:
Note that the Best Practices in this grouping are primarily aimed at ISPs that provide service to consumer end-users on residential broadband networks, but may be applicable to other users and networks as well.