DNS today without DNSSEC is a "forgiven" system
"Forgiven system" may sound too rude but it seems to be the reality. The title of this blog is from a statement made by one of the participants during a breakout session on DNSSEC during the 2015 edition of the Africa DNS Forum in Nairobi, Kenya.
The session, with almost 50 participants, was a technical roundtable on DNSSEC moderated by myself, with key experts on the panel, namely Olaf Kolkman (Internet Society), Joey Abley (DYN), Mark Elkins (DNS), Phil Regnault (NSRC) who shared their views and lessons learnt from their extensive experiences on how DNSSEC gives one more level of security.
So why are African ccTLDs not moving fast? The problem is part of a general situation of the African ccTLD registries. To date, we only have few valid structured organizations managing the country top-level domain name. However, it's not all doom and gloom. There are good signs indicating a wake up of the various stakeholders in most of the countries for the need to make their ccTLDs one of the key elements necessary to develop the Africa footprint on the Internet.
When the first Internet gateways were installed in Africa, there were no real confidences in the technical staff managing the ccTLDs. This was one of the reasons people did not register their domain names under these ccTLDs but instead opted to use gTLDs such as .com. The other main factor was due to the registration and annual maintenance fees for a domain, which cost over 100 USD in many African countries at the time. Today, we find that technical staff have gone through extensive training and are well equipped to handle this and other online security issues that African Internet users face. However registrants are still not very confident choosing their ccTLDs , which is why faster adoption of DNSSEC by ccTLDs could really help restore this confidence.
During the breakout sessions in the DNSFORUM 2015, "technical capacity of the ccTLD registry" was pointed out as one of the requirements necessary to move to implementation of DNSSEC. This is something registries present at the forum stressed they are continuously working on to improve and spread awareness of. The DNSSEC breakout session was definitely an opportunity to share some of the solutions for capacity building like online training resources provided by ICANN, AFRINIC and AFNOG workshops (dnssec-africa.org, ISOC Deploy360, NSRC). It was also agreed that sharing of experience between the registries is a factor that could really help in moving this forward and expand penetration in Africa.
Cognizant of the importance of the DNSSEC, our ICANN Africa strategy implementation includes a project that we call the DNSSEC Roadshow. This is a three-day event including general awareness for all stakeholders, providing technical training targeted at Engineers and Technicians.; with the last day dedicated to the ccTLD registry for assessment and roadmap definition toward the DNNSEC implementation. To date, more than 10 countries have hosted such events with positive feedback and reports of a plan to move to the next phase, signing their zone. But this is not enough; constructive action is needed. They need to make the commitment to sign, and that is what we are still waiting to happen. Our hope as one of the contributors to the development of the Internet in Africa is to reach the point where the registrants are more informed and confident to register names under their ccTLD.
Another article on the topic http://www.cso.com.au/article/580361/africa-needs-better-online-security-experts-say/