Photo of the back of a man wearing a white shirt that says Security on it

DNSSEC and RPKI Deployment: A New Narrative

Picture of David Huberman
Guest Author | ICANN
Categories:
Twitter logo
LinkedIn logo
Facebook logo
March 20, 2024

When we think about organizational cybersecurity, we are interested in protecting our systems, people, and assets from intrusion and malfeasance.

We spend a lot of time and money hardening our infrastructure by implementing best current practices around cyber hygiene (such as requirements on password length and rotation and training for our employees to ensure they do not fall prey to cybercriminal schemes), by patching our operating systems and our application software and by establishing all kinds of monitoring and detection to safeguard our systems.

But at a deeper layer than our systems, our applications, and our employees is a set of network elements that also must be protected:

  • The IP addresses we assign to our boxes.
  • The Autonomous System Numbers (ASNs) we use to define our networks.
  • The domain names we assign to devices.
  • The system of interdomain routing which enables us to share data packets with networks around the world.

All these elements use protocol standards, which are very old and not designed with any security in mind. For example, the Domain Name System (DNS) was invented by Paul Mockapetris and standardized in November 1983. The routing system we use is called Border Gateway Protocol (BGP), and the current version of BGP that everyone uses is from March 1995.

These 30 and 40-year-old protocol standards are used in almost every network across the Internet today and are essentially unchanged from their original specifications. They stick around because they solve the most challenging problem in computing: scale. DNS and BGP enable infinite scalability at negligible cost to individual operators. And because everyone leveraged DNS and BGP, the Internet grew from a military and academic experiment to a ubiquitous platform worldwide.

Why DNS and BGP need to be secured

When these two essential systems are not secured, there are “back doors” into our networks for hackers and criminals. Their security needs to be considered as part of a well-formed cybersecurity strategy. This strategy ideally includes demanding secure-by-design services and devices during information communication technology (ICT) procurement activities.

The Internet Standards, Security, and Safety Coalition — IS3C — was formed as a United Nations Internet Governance Forum Dynamic Coalition to help organizations achieve this. The coalition comprises key stakeholders from the technical community, civil society, government policymakers, regulators, and corporate and individual adopters. It aims to make online activity and interaction more secure and safer by successfully deploying existing security-related Internet standards and ICT best practices. 

As part of its work, IS3C formed a working group on the importance of persuading organizational decision-makers to adopt two Internet standards, which help bolster their cybersecurity profile:

  • Domain Name System Security Extensions (DNSSEC), which enable us to detect unauthorized changes in DNS data and develop tools to better secure the DNS.
  • Resource Public Key Infrastructure (RPKI), which provides the necessary infrastructure to build the tools needed to secure routing better.
Line graph showing the percentage of all ccTLDs that have adopted DNSSEC and global DNSSEC validation
Figure 1 — Percentage of ccTLD registries with operational DNSSEC and global DNSSEC validation rate. Data sources: ICANN and APNIC.

Help Bring DNSSEC and RPKI to the Attention of Decision Makers

With my ICANN hat on, I co-chair this working group with my friend and colleague, Bastiaan Goslings. Our current effort is to forge a new narrative to convince organizational decision-makers to adopt RPKI and DNSSEC in their infrastructures. We do so by framing their importance in corporate terms, such as adhering to a duty of care, reducing financial risks, improving regulatory compliance, and other factors that C-suite occupants deal with regularly.

But we need your help! 

Our proposed narrative is out for public consultation through 5 April. Please read our new message and provide your critical commentary and helpful suggestions on improving it. 

Working together can make the Internet safer and our networks more secure. You can share your ideas and views with IS3C in the draft text. The document will be adapted in the next phase according to your input. The publication is expected in May 2024.

Learn more about IS3C’s activities, reports, and tools, or become a member via our website.

David Huberman works for the Office of the CTO at ICANN and is co-chair of IS3C working group 8.