Stay networked. Get informed. Broadcast your projects.
When we get Internet browsing needs, we go to the web browser and type in names. We memorise a number of Internet names off our heads, the ones we usually use. We are however informed every now and then that the Internet works with numbers (digits) but humans cannot cram those numbers to represents our web-pages. There is therefore a system which translates Internet names (known to humans) to Internet numbers (known by the computers and Internet). This is system is refered to as the Domain Name System (DNS).
The working of the Domain Name System (DNS) is a simple one where a user with a DNS request or requirement sends plain text requests to the Name server which upon processing sends the results to the user still in plain text. This has been the mode of operation of the DNS system from times memorial. Since it is this simple, the implementation is pretty simple, and maintenance is as well a simple one from the outlook. The time taken to receive a request from the user, process it and forward the response to the user is also minimal.
With the growth of more and sophisticated packet sniffing and transmission line listening applications, communications in plain text have been exposed to a numerous problems. DNS in particular is threatened by packet interception. In this case, the users makes a DNS request to the name server through insecure(plain text) means. The name server returns response along the same channels which channels are open to packet sniffers. These packets sniffers can either use this method to mislead users to wrong websites, do DNS poisoning and many more dangerous acts.
In an attempt to mitigate packet interception, the user digitally encrypts his requests using public digital encryption keys and sends only digitally signed requests. Upon reception by the Name server, it checks for the integrity of the request. The name server works on the request and also encrypts the response. It (response) is decrypted by the receiver upon reception after he has checked it's integrity. With this method the effects of man-in-the-middle attacks to the DNS functionality is minimised. This addition to DNS is known as DNSSEC.
By the year 2010, only one African Country had works to do with DNSSEC, by the year 2012, seven countries have works to do with DNSSEC at different levels of implementation1. This low adaptation of DNSSEC in the developing Africa amidst it's known importance can be attributed to a number of reasons some of which are;
Inertia of mindsets. Given the success rates of DNS, many people are uncomfortable with the idea of changing the implementation. People are scared that introduction of DNSSEC will destablise the already stable DNS service delivery. Many people have not seen the importance of DNSSEC and are not willing to make changes. People who believe in 'don't fix unless broken' won't allow DNSSEC implementation unless they have been affected by man-in-the-middle attacks.
At the application level. For users to actually realise the benefits of DNSSEC and to boost it's uptake, users have to be aware whether the site they are surfing is signed or not. Currently I have been able to tell this with only Mozilla and Chrome. The remaining web-browsers have not committed yet according to Kevin Murphy. If not informed about DNSSEC, the users will never demand for it and if not demanded for, web browser developers will never develop browsers that are DNSSEC ready.
Inter-registrar transfers. When a domain is transferring between registrars that handle their DNS services, it is easy since the DNSSEC of the domain will move along. The matter is different in situations were the registrars depend on a third party to handle DNS. In a situation where DNS is handled by another third-party company DNSSEC becomes a problem.
DNS Packet size . It is evident that DNS was working with small message sizes. The user sends a plain text request which is responded to with another plain text response. With the addition of signing and encryption, the message size increases, which increase can vary from 4-14 the size of the original size according to ISC2. With this increase in size, it is possible that some Zone administrators and ISPs might have to overhaul their infrastructure to handle the new changes, something that has to come with additional Capital costs. There is no data to show that Africa is affected by this factor but is not right to ignore it.
What is being done to address the adaptation rates?
When ever a new product is coming to market, it faces a challenge of inertia. Unless people (the buyers) appreciate the benefit of the commodity, it is bound to suffer low uptake. In a bid to have all stakeholders appreciate the benefits and working of DNSSEC, Internet Action groups like Diplo, ISOC, ISC3 and the rest are investing in sensitisation and education of all stakeholders. ICANN on the other hand is carrying out sensitisation on their website and encouraging other private partners who can carry out commercial trainings. The major activity in Africa about DNSSEC is sensitisation and capacity building by the Registrars and ccTLD managers4.
What should be done to change the way of things?
As the case was for the high uptake of DNSSEC in the CZ.NIC, incentives to the registrars and ISP could be thought of. If all ccTLD could get signed from different incentives, it could drive the uptake of DNSSEC in Africa to another level. It could also increase the popularity of DNSSEC and open up to the people the evident benefits of DNSSEC.
Although sensitation and capacity building is being done, more still needs to be done. Very few people know about DNSSEC which am sure hampers it's demand. With little demand, few business oriented people are willing to invest in DNSSEC. If all banks say in Africa asked for their domains to be signed, it would have an impact on the uptake of DNSSEC in Africa.
Regulation could also help. If policy makers could come out open about signing domains in their countries, it could create an impact. It has been noted that the political will is also still missing in Africa although it might not be of great impact but at the level of policy making, it is required.
For sure it is with out doubt that we need DNSSEC to mitigate a number of risks in Internet today caused by man-in-the-middle attacks. However the people who benefit most from the service don't usually mind whether is it deployed or not. The uptake might have to come from policy making and legislation but it will for sure take time in Africa to have all domains signed.
InterConnect Communications, MC / 080:DNSSEC Deployment Study - Final Report. Available at: http://stakeholders.ofcom.org.uk/binaries/internet/domain-name-secu...,
3ISC, Internet Systems Consortium