I read this article by TLD ISAC:
https://www.tld-isac.eu/guidelines-for-a-resilient-dns/

Then I found myself commenting on LinkedIn.

"Very nice article!

Thanks for mentioning NLnet Labs NSD as one of the trusted name servers, along with Internet Systems Consortium, CZ.NIC, z.s.p.o. and PowerDNS. What surprises me is that with regards to resilience of these software solutions, the article just says to "run updates" to be prepared for vulnerabilities.

DNS service providers and TLD registries are ‘sectors of high criticality’ under the European #NIS2 directive. On the NIS2 supply chain security requirements, ENISA guidance says: “Ensure that support contracts cover the system life cycle and obsolescence management requirements, including the date until which the system must be supported”.

Thus, what would be a better recommendation is to have a support agreement with an SLA in place with one of these parties. This way, you get notifiied of vulnerabilies under NDA before they become public. At the same time, the agreement keeps the work of the #OpenSource software developer sustainable.

After all, when you purchase an HSM to keep your DNSSEC keys safe, budgeting to have a support agreement with the supplier in place is a no-brainer, so why not with the party who provides your critical #DNS name server software?”