After two years of testing, the Internet Corporation for Assigned Names and numbers (ICANN) will launch the DNSSEC-signed DNS root zone this month. The process known as root signing will start this month and be gradually introduced to root servers. It should be finalized by July this year.
Adoption of DNSSEC will increase the complexity of DNS communication and there has been no consensus on whether it will have harmful side effects. Some experts predict that some registries in low bandwidth areas, using old preconfigured equipment, will have problems accessing the Internet while others predict there will be no harmful side effects.
"ICANN is now working with the National Telecommunications and Information Administration (NTIA) and VeriSign to ensure that a DNSSEC-signed DNS root zone will be fully available in 2010, with significant progress already made," said Rod Beckstrom, ICANN CEO and president.
A survey conducted by the Country Code Name Supporting Organization found that only 7 percent of country code registries had implemented DNSSEC but Beckstrom says that in 2009, 25 percent of the registries implemented DNSSEC, and 80 percent of the remaining registries plan to adopt but with no timeframe.
"DNSSEC changes authoritative DNS by making it more complex, more brittle (easier to break things) and increases the traffic involved in resolving DNS, all of these point to the fact that maybe a slow adoption of DNSSEC is a good idea," said Calvin Browne, a director at UniForum, the administrator of the .co.za domain name.
Many African countries have chosen to train registry managers first before implementing changes to their infrastructure. In other countries, they have problems running the registry, let alone the DNSSEC.
"With any critical infrastructure it's important to be careful, which is why the root is being signed in such a measured and controlled fashion; it is true that there is concern over some aspects, like the increased size of DNS responses from root servers, and there is measurement and analysis work going on now to help clarify how much of a problem that is," said John Crain, Senior Director in charge of security, stability and resiliency.
"During ICANN and Africa TLD organization meetings in March, there will be training for African ccTLD registry managers on DNSSEC," said Joe Kiragu, administrative manager at Kenic, the .ke registry.
Some of the countries that have adopted DNSSEC offer it as a value added service for companies that need additional security such as online financial services and other e-commerce platforms.
Experts in Africa argue that it would be easier for African registries to adopt DNSSEC given most registries have few domains compared to registries in the west that have millions of domains.
"Africa has an advantage in terms of management of domains because they are few compared to other countries; it may be an opportunity for Africa's budding e-commerce to take off on a fully secure environment," said Michuki Mwangi, senior education manager at the Internet Society and a former president of AfTLD.
South Africa (.za) has the highest number of domains, while Kenya, Uganda, Nigeria, Namibia, Tunisia, Tanzania and Egypt have stable registries. However, the number of domains are yet to hit a million for the whole continent.
"Some aspects of DNSSEC for a registry are made easier when the registry contains a small number of domains, but many other aspects are the same regardless of how many domains are registered," said ICANN's Crain.
Mwangi adds that although e-commerce has worked in the west without DNSSEC, people in Africa still have security concerns with online banking transactions, given the phishing attacks that have resulted in redirecting of customers to different sites.
"There is no doubt that more stringent security measures will be needed to establish authenticity of source but DNSSEC will ensure end users will be directed to the bank's servers and minimize phishing attacks," Mwangi added.
Although there is no requirement that all countries must adopt DNSSEC, Crain says that the experience from registries that have adopted will allow other registries and those responsible for the root zone to better understand the implications of root signing.
The fifth annual survey of DNS on the public Internet released in November last year and conducted jointly by The Measurement Factory and Inflobox found the situation both frightening and hopeful.
"Of particular interest is the enormous growth in the number of Internet-connected name servers, largely attributable to the introduction by carriers of customer premises equipment (CPE) with embedded DNS functionality," said Cricket Liu, vice president of architecture at Infoblox. "This equipment represents a significant risk to the rest of the Internet, as without proper access controls, it facilitates enormous DDoS [distributed denial of service] attacks."
Although no African country has been the subject of a DDoS attack, increased investment in Internet infrastructure and affordability of bandwidth to end users is likely to raise a new breed of Internet criminals.
"DNSSEC adoption does not mean other security risks will be solves, end users will have to be careful of typo errors, passwords; more end user security awareness is still needed," concluded Mwangi.