Skip to main content

DNS today without DNSSEC is a "forgiven" system

Dnssec 30jul15 en

"Forgiven system" may sound too rude but it seems to be the reality.  The title of this blog is from a statement made by one of the participants during a breakout session on DNSSEC during the 2015 edition of the Africa DNS Forum in Nairobi, Kenya.

The session, with almost 50 participants, was a technical roundtable on DNSSEC moderated by myself, with key experts on the panel, namely   Olaf Kolkman (Internet Society), Joey Abley (DYN),  Mark Elkins (DNS),  Phil Regnault (NSRC)  who shared their views and lessons learnt from their extensive experiences on how DNSSEC gives one more level of security.

So why are African ccTLDs not moving fast?  The problem is part of a general situation of the African ccTLD registries. To date, we only have few valid structured organizations managing the country top-level domain name.   However, it's not all doom and gloom. There are good signs indicating a wake up of the various stakeholders in most of the countries for the need to make their ccTLDs one of the key elements necessary to develop the Africa footprint on the Internet.  

When the first Internet gateways were installed in Africa, there were no real confidences in the technical staff managing the ccTLDs.  This was one of the reasons people did not register their domain names  under these ccTLDs but instead opted to use gTLDs such as .com.  The other main factor was due to the registration and annual maintenance fees for a domain, which cost over 100 USD in many African countries at the time. Today, we find that technical staff have gone through extensive training and are well equipped to handle this and other online security issues that African Internet users face. However registrants are still not very confident choosing their ccTLDs , which is why faster adoption of DNSSEC by ccTLDs could really help restore this confidence.

During the breakout sessions in the DNSFORUM 2015, "technical capacity of the ccTLD registry" was pointed out as one of the requirements necessary to move to implementation of DNSSEC.   This is something registries present at the forum stressed they are continuously working on to improve and spread awareness of.   The DNSSEC breakout session was definitely an opportunity to share some of the solutions for capacity building like online training resources provided by ICANN, AFRINIC and AFNOG workshops (, ISOC Deploy360, NSRC).   It was also agreed that sharing of experience between the registries is a factor that could really help in moving this forward and expand penetration in Africa.

Cognizant of the importance of the DNSSEC, our ICANN Africa strategy implementation includes a project that we call the DNSSEC Roadshow.  This is a three-day event including general awareness for all stakeholders, providing technical training targeted at Engineers and Technicians.; with the last day dedicated to the ccTLD registry for assessment and roadmap definition toward the DNNSEC implementation.   To date, more than 10 countries have hosted such events with positive feedback and reports of a plan to move to the next phase, signing their zone. But this is not enough; constructive action is needed. They need to make the commitment to sign, and that is what we are still waiting to happen. Our hope as one of the contributors to the development of the Internet in Africa is to reach the point where the registrants are more informed and confident to register names under their ccTLD.

Another article on the topic


    Domain Name System
    Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as"""" is not an IDN."