DNS Tech Support Training Courses DNSSEC Consulting DNS Monitoring System Audit Customer Portal
The DNS Institute
Documentation Implementations Research DNS History Free DNS Tools

DNS Job Task Analysis

DNS Institute will soon be delivering a detailed survey of DNS administrator job tasks to to help evaluate skill levels and task importance and frequency. This will also survey software implementations in use. This will be used to help improve existing and upcoming books and documentation and training classes and courseware. The summarized results will be made publicly available.

The following job statements are being considered for the survey. Please share your feedback and suggestions. (I have participated in JTA development and report for 10+ year-old psychometrician-approved system administrator certification.)

  1. Configure nameserver to report a Name Server Identifier (NSID).
  2. Configure CNAME alias records in a zone.
  3. Use a DNS client tool to query with a DSCP (differentiated services code point) value.
  4. Enable DNS server to perform DNSSEC validation.
  5. Configure zone file sharing for redundant services without using DNS standards zone transfer mechanisms.
  6. Add or remove zones while a nameserver is running.
  7. Configure nameserver to provide DNS-over-HTTPS (DoH).
  8. Configure NSEC3 Opt-Out in a DNSSEC signed zone to allow unsigned data.
  9. Enable forwarding of RFC 2136 Dynamic Updates.
  10. Use a DNS client tool to query with a EDNS Cookie.
  11. Configure custom (non-RFC/without software support) resource record types and data in a zone file.
  12. Use a DNS client tool (like DiG or Drill) to perform DNS lookups for various resource record types.
  13. Manually query for a Name Server Identifier (NSID).
  14. Use a DNS client tool to perform DNSSEC validation.
  15. Implement a script to maintain a master-format zone file.
  16. Configure nameserver to automate DNSSEC signing for non-signed incoming transfered zone data.
  17. Troubleshoot FORMERR status results.
  18. Configure nameserver to return synthesized mapped addresses (DNS64) when AAAA answers are missing.
  19. Trigger a nameserver to check for new zone data to transfer in.
  20. Configure single system hostname/address mapping without using DNS.
  21. Manually fix a botched SOA Serial number in a zone file.
  22. Configure nameserver to disable or allow outgoing incremental zone transfers (IXFR).
  23. Configure recursive nameserver to limit recursion depth or number of queries for handling a single request.
  24. Analyze TTL time-to-live timer from caching resolvers.
  25. Configure nameserver to suspend or unsuspend Dynamic Updates.
  26. Manually review NSEC records or follow NSEC chain.
  27. Manually use RFC 2136 Dynamic Updates tool (e.g. nsupdate) to update zone data.
  28. Configure wildcard label names in a zone.
  29. Configure nameserver to send DSCP (differentiated services code point) value for outgoing packet headers for QoS.
  30. Use a DNS management tool with custom cryptographic accelerator or hardware security module (HSM) for key generation or signing.
  31. Define a hostname for a system to be set at boot time.
  32. Configure nameserver for order of additional section or glue responses.
  33. Dump and review server caches.
  34. Configure recursive nameserver to use a custom or new root name servers list (hint zone).
  35. Configure a nameserver to send NOTIFY messages on changes.
  36. Configure nameserver to query for new records if a record is soon to expire from its cache.
  37. Configure nameserver to provide DNS-over-TLS (DoT).
  38. Setup reverse name resolution for IPv4 addresses under an in-addr.arpa zone.
  39. Disable queries for specific IP addresses or networks.
  40. Configure nameserver delegations in a parent zone.
  41. Configure Sender Policy Framework (SPF) resource record data.
  42. Configure and enable a DNS server for providing secondary (slave) zones.
  43. Manually define DNS name servers to use for a stub client or for base operating system.
  44. Setup DNS server within a chroot, sandbox, jail, or operating system-level boundary separation.
  45. Do mass DNS lookups.
  46. Automated checks for DNSSEC negative trust anchor (NTA) to see if currently needed.
  47. Use a tool to convert zone data to and from machine and human-readable formats.
  48. Configure nameserver to enable or disable UDP traffic.
  49. Configure a zone using Punycode names for Internationalized Domain Names (IDN).
  50. Configure negative caching time-to-live value for non-existent records in a zone.
  51. Configure "views" or similar split configuration to offer different zone data or server behavior based on client or destination addresses or networks.
  52. Configure nameserver to query with or respond with EDNS Cookies.
  53. Run a nameserver daemon in debugging/diagnostics mode to troubleshoot behavior.
  54. Configure nameserver to prefer IPv6 over IPv4.
  55. Enable RFC 2136 Dynamic Updates allowed for IP/network.
  56. Read DNS wire packets.
  57. Configure DNS server IP/network-based ACLs for global/world access.
  58. Use a DNS client tool to recursively trace delegations from root-server(s) down until receive answer.
  59. Configure a nameserver to disable serving from cache of third-party record data.
  60. Configure NS glue records in a parent zone.
  61. Configure nameserver to log debugging or access details for specific features or clients.
  62. Configure SRV resource record data.
  63. Configure DNS server TSIG shared secret ACLs.
  64. Perform a non-EDNS query.
  65. Utilize directive or configuration to include zone file data into another zone file.
  66. Enable RFC 2136 Dynamic Updates using TSIG.
  67. Configure "views" or similar split configuration to offer different zone data or server behavior based on recursion desired (RD) bit.
  68. Enable DNS server to handle DNSSEC-OK (DO) queries and to respond with corresponding DNSSEC records.
  69. Configure nameserver to prefer IPv4 over IPv6.
  70. Review current iterative/recursing queries.
  71. Troubleshoot NXDOMAIN status results.
  72. Use a DNS client tool (like DiG or Drill) to perform DNS query for a non-Internet class record.
  73. Configure a custom trust anchor (or secure entry point) key for DNSSEC validation.
  74. Use tool to reformat master-format zone file.
  75. Configure nameserver for maximum allowed cache times (TTL).
  76. Manually sign/re-sign zone file to generate DNSSEC signatures and related records.
  77. Manually flush resolver cache.
  78. Configure a secondary nameserver to transfer in zone data using AXFR.
  79. Configure nameserver for maximum advertised EDNS UDP buffer size.
  80. Configure Packet Filter for allowing or restricting DNS packets.
  81. Review DNS server logging.
  82. Configure DNS forwarding for an intermediate recursive server.
  83. Configure DNS server IP/network-based ACLs for local network/system access only.
  84. Configure nameserver for maximum concurrent clients.
  85. Configure a zone with Punycode (for IDN) for some resource record data.
  86. Configure recursive nameserver for shorter or longer query timeouts.
  87. Configure mail exchange (MX) resource record data.
  88. Update SOA Serial number manually.
  89. Troubleshoot TSIG authentication failures.
  90. Develop or maintain source code using a DNS resolver library API.
  91. Configure and enable a DNS server for providing primary (master) zones.
  92. Enable DNS server to automate periodic re-signing of DNSSEC zone files.
  93. Configure nameserver for maximum UDP packet size for outgoing responses.
  94. Use DNS configuration syntax checking tool.
  95. Manually generate DNSSEC keys.
  96. Utilize custom non-DNS host name database (like /etc/hosts) for local host/address mapping.
  97. Configure server to serve zone data for non-Internet class.
  98. Configure nameserver to use a cryptographic accelerator or hardware security module (HSM) for key generation, key storage, and/or signing.
  99. Use zone file validaty checking or auditing tool.
  100. Use a DNS client tool to perform TCP query.
  101. Configure nameserver to minimize Authority and Additional section responses.
  102. View all enabled DNSSEC trusted keys for a nameserver.
  103. Use a tool to convert to and from non-ASCII domain names and Punycode for Internationalized Domain Names (IDN).
  104. Configure access control or serving different zone data based on EDNS Client Subnet (ECS) network prefix.
  105. Use a DNS client tool to perform a non-recursive query.
  106. Configure nameserver so all responses will be referrals or delegations (and no answers).
  107. Configure nameserver to use a pre-defined source address for outgoing packets.
  108. Manage stealth or hidden servers that provide authoritative answers.
  109. Configure nameserver for maximum and minimum SOA interval time values it will use for zone transfer checking.
  110. Configure nameserver to enable or disable TCP traffic.
  111. Configure nameserver for maximum concurrent outgoing queries.
  112. Configure a nameserver to disable recursion.
  113. Configure authoritative nameserver for maximum zone transfer times.
  114. Use a DNS client tool to query with a custom EDNS option.
  115. Manually flush resolver cache for a specific name.
  116. Configure DHCP or authentication service to do RFC 2136 Dynamic Updates to a DNS server.
  117. Configure a nameserver to allow outgoing zone transfers.
  118. Configure a secondary nameserver to transfer in zone data using incremental zone transfers (IXFR).
  119. Configure a nameserver to do incoming zone transfers of a response policy zone (RPZ).
  120. Configure authoritative nameserver for maximum concurrent zone transfers.
  121. Use a DNS client tool to use TSIG for a query.
  122. Utilize directive or configuration to automatically generate series of resource records using iterative names and/or values.
  123. Redeploy DNS services using bundled containers or virtualized environments.
  124. Manually share DNSSEC key set to parent domain operator.
  125. Manually edit a master-format zone file.
  126. Enable and review nameserver statistics/counters.
  127. Configure DomainKeys Identified Mail (DKIM) resource record data.
  128. Manually compare DNSSEC RRSIG and DNSKEY key IDs.
  129. Configure a nameserver to rewrite answers utilizing RPZ (response policy zone) rules.
  130. Configure access control or serving different zone data based on IP-based geolocation (GeoIP) or organization mapping.
  131. Tune a nameserver configuration for high-load systems such as for CPU, threads, or connections capacity.
  132. Configure nameserver to listen on alternative UDP/TCP port.
  133. Implement DNSCurve.
  134. Configure DNS services for IPv6 and AAAA records.
  135. Troubleshoot DNSSEC failures.
  136. Enable DNS query logging.
  137. Configure nameserver to serve zone maintained in SQL database.
  138. Troubleshoot lame servers.
  139. Configure SOA interval time values.
  140. Configure a DNSSEC negative trust anchor (NTA) for a specific domain.
  141. Run a DNS-aware Proxy.
  142. Utilize stand-alone tool to automate periodic re-signing of DNSSEC zone files.
  143. Define custom RPZ (response policy zone) rules in a master zone file.
  144. Troubleshoot SERVFAIL status results.
  145. Use a DNS client tool to query with a EDNS Client Subnet (ECS) option.
  146. Implement DNSCrypt.
  147. Configure nameserver for maximum cache size.
  148. Configure DNAME mapping records in a zone.
  149. Automate DNSSEC key set sharing to parent domain operator.
  150. Enable a DNS caching server.
  151. Configure domain nameserver records at registrar to use custom DNS servers.
  152. Manually check DNSSEC RRSIG inception and expiration times.
  153. Configure a nameserver to disable outgoing zone transfers.
  154. Configure DNS server to automate management for updates for DNSSEC trusted key for root (.) server.
  155. Register a domain name.
  156. Setup firewall or DNS server to blackhole (no response for) some DNS queries.
  157. Implement Anycast DNS services.
  158. Record DNS query and/or response traffic for later long-time analysis.
  159. Enable RFC 2136 Dynamic Updates allowed via Windows or Kerberos machine principal.
  160. Generate shared TSIG key.
  161. Build and install DNS server from source code.
  162. Find out what servers are authoritative for DNS for a hostname.
  163. Manually configure DNSSEC trusted key for root (.) server.
  164. Enable or configure empty zones for RFC1918 or other local and reserved address space arpa domains.
  165. Configure nameserver for rate limiting for UDP responses (RRL).
  166. Enable automatic DNSSEC key generation and DNSSEC rollovers.
  167. Configure nameserver loading DNS zone files or transfering zone data to be lax or not strict about names syntax or targets.
  168. Configure remote nameserver control.
  169. Manage multiple levels of parents and children delegated zones (like third-level domains).
  170. Setup reverse name resolution for IPv6 addresses under an ip6.arpa zone.
  171. Query root server.
  172. Enable DNSSEC signing for Dynamic Updates.
  173. Implement simple load balancer implementation using Round-robin DNS.

(So many other topics to consider, such as redirect zones, IPsec Support module, 0x20 case, specific scheduling decisions for DNSSEC rollovers, automation for domain reregistrations, TSIG "session", NXDOMAIN redirect, registry management, TKEY, LDAP/AD integration, ...)

Please share your feedback prior to our actual survey delivery. What other tasks do you do as a DNS operator? What do you never do?


Contact Us | About | Site Map |  Gab |  Twitter