The Domain Name System (DNS) is a critical service on the Internet. As more and more attacks exploit DNS vulnerabilities, security is increasingly a concern. ICANN has been supporting DNS Security Extensions (DNSSEC) deployment for many years through various initiatives and capacity-building programs. Such efforts have intensified over the past two years with the regionalization of its technical engagement coverage.
DNSSEC is one of the solutions used to help secure DNS resolution. Domain registrants, system administrators, or DNS operators sign DNS resource records in zone files served by authoritative name servers using public key cryptography and hashing algorithms. Secure recursive resolvers, usually located with Internet service provider (ISP) infrastructure or inside corporate networks, verify the authenticity and integrity of the DNS answers they receive for signed domains. This operation is called DNSSEC validation. Secure recursive resolvers help prevent the introduction of fake records into their caches (cache poisoning) and confirm that DNS data they receive for signed domains come from authenticated authoritative name servers and have not been modified. Signing domains and validating DNS data are complementary to each other. Both should be adopted as a DNS best practice. To learn more about DNSSEC, click here.
We would like to share some of our recent efforts and experiences in promoting and supporting DNSSEC adoption in Africa and the Middle East region, starting with the publication of the DNSSEC Deployment Guidebook for ccTLDs (OCTO-029) in the six official U.N. languages. In our regions, we are engaging with those who speak a range of languages, and we believe that this step-by-step guideline will benefit a large audience.
We have also emphasized assisting country code top-level domains (ccTLDs) to use DNSSEC to secure their zones. We do so by walking them through a DNSSEC readiness assessment, providing them with a combination of training and technical support to help familiarize them with DNSSEC signing operations. Using a test environment, we also highlight the challenges of their specific setup and help them improve the documentation of their operations.
We are delighted to see that some ccTLDs have used these capacity-development tools and processes to improve their skills and move forward in their projects. For example, it makes us proud to see new ccTLDs such as .ci and .rw recently use DNSSEC to sign their zones. Other ccTLDs are also actively working on the process to deploy DNSSEC. We also are continuing to encourage and offer our assistance to many others who have yet to secure their DNS and look forward to seeing them start the process.
Beside signing their zones, we have also assisted a dozen network operators (mainly ISPs) and mobile network operators in Africa and the Middle East to activate DNSSEC validation in their recursive resolvers. Today, activating DNSSEC validation is quite straightforward for almost all recursive resolvers. However, some pre-activation sanity checks such as EDNS(0) support, TCP 53, time synchronization, correct root trust anchor, etc., are recommended. This is particularly the case in a production environment.
Our support has been mainly helping operators not only understand the importance of DNSSEC validation, but also pay attention to prerequisite checks. We support them in the verification process, and assist them in activating and testing this process on each of their recursive resolvers. In the beginning, some were reluctant to make changes, which could potentially disrupt their services to customers. When they began working with us, however, they became more comfortable and confident making these improvements as they have a clearer view of the components involved and the mitigation measures in case issues arise.
Africa and the Middle East have some of the lowest DNSSEC adoption rates in the world. We still have much to do, even as we have made progress. According to the Asia Pacific Network Information Centre Labs, the rate of DNSSEC validation in Africa has risen in the last two years from less than 25% to 30%, and it remains around 50 percent in the Middle East. We continue to work with our partners to increase DNSSEC adoption in Africa and the Middle East.
We will continue to deliver training and support to operators in the region to deploy DNSSEC signing and validation. In this way, our team is helping to improve the security and resiliency of the Internet. The new KINDNS program that ICANN launched last month is an additional tool in our kit to help operators improve their DNS operation security.
Our course catalog is available online. If you have any questions, concerns, or require support on the DNS in general and DNSSEC deployment in particular, feel free to contact us at octo@icann.org and we will be happy to assist.
