After reviewing [this article about recent DNS hijacking incidents](https://krebsonsecurity.com/2019/02/a-deep-dive-on-the-recent-widespread-dns-hijacking-attacks/), I think it might be worth reviewing the recommendations given in the article, which are basically: 1. [x] use DNSSEC 2. [ ] Use registration features like Registry Lock that can help protect domain names records from being changed 3. [ ] Use access control lists for applications, Internet traffic and monitoring 4. [ ] Use 2-factor authentication, and require it to be used by all relevant users and subcontractors 5. [x] In cases where passwords are used, pick unique passwords and consider password managers 6. [ ] Review accounts with registrars and other providers 7. [ ] Monitor certificates by monitoring, for example, Certificate Transparency Logs (#40677) Some of those are impractical: for example 2FA will not work for us if we have one shared account with a provider. Others have already been done: we have a good DNSSEC deployment and manage passwords properly. Mainly, I'm curious about investigating Registry lock and CT logs monitoring, the latter which could be added as a Nagios thing, maybe.