The DNS Institute's DNS Audit checks over a hundred requirements and best practices as defined in IETF RFCs, government mandates, and registry guidelines. (The tests have bibliographic citations and explanations.) These tests are for domain names themselves, nameserver addressing, DNS setup and delegations, and conformance tests on how the domain nameserver responds. This includes checking glue, IPv6, TCP, DNSSEC, and more. It has additional tests for performance and security vulnerabilities with over a hundred additional test cases to consider. We have ran over a third of a million test runs resulting in over fifty-one million individual test results. (You can see summaries of this in our research articles.)
Some of the tests fail so frequently, they can be considered just unimportant noise. But many DNS setups are so clean they have none of the following top ten most frequent warnings.
There are a few other frequent offenders especially when it forces IPv6 or TCP only tests. By the way, one of our least common outliers is: "D103510 Recursion depth recommended maximum is 5 levels (Unbound default max)." (That's even less frequent that finding security vulnerabilities such as dangling DNS targets.)
How clean is your DNS?
What do you think about any of these pedantic checks? (Old guidelines or requirements just don't matter?)
What do you use for your DNS auditing?