Continued Progress in African DNS Security
In the last six months, four more African countries have joined the ranks of those with country-code Top-Level Domains (ccTLDs) secured with DNSSEC: Burundi (.bi), managed by the Centre National de l’Informatique (CNI), Ethiopia (.et), managed by Ethio Telecom, Mali (.ml), managed by Agetic , and Nigeria (.ng), managed by NiRA. These domains have signed their zones and published information in the root zone of the DNS, meaning DNSSEC is now fully enabled for their domains.
The most recent of these, Nigeria's .ng domain, was signed and published on 15th February. Nigeria is the seventh most populous country in the world with a population of over 223 million so this represents a significant step in advancing the security of Internet users globally. NiRA have written about their work to deploy DNSSEC on their website.
CNI in Burundi also wrote about their excitement at reaching this milestone on their website as follows:
Burundi has taken a major step forward in Internet security. [DNSSEC] activation allows DNS responses to be authenticated, enhancing security and trust for Burundian users and businesses. This advance is part of the Coalition for Digital Africa initiative and the DNSSEC Roadshows, which aim to strengthen the resilience of African ccTLDs.
Other recent African additions to the list of signed ccTLDs are Burkina Faso (.bf) and Gabon (.ga) which signed their zones last year.
Read: Burkina Faso Secures Top-Level Domain.
Read: Gabon, Georgia, and Papua New Guinea Country Code Domains Go Secure
These four additions bring to 172 the number of countries that have DNSSEC-enabled ccTLDs. A further ten countries (Cabo Verde, Curaçao, Iraq, Nicaragua, Oman, Somalia, Turks and Caicos, Chad, Tonga, and British Virgin Islands) have started the process of DNSSEC-enabling their ccTLD by signing the zone. That leaves 66 ccTLDs unsigned. At current deployment rates, it might be another 10 years before we reach 100% coverage of DNSSEC in the ccTLD space.
Click play on the graphic below to observe the gradual expansion of DNSSEC deployment at ccTLD registries in Africa since 2010.
Signing the domain and installing security keys in the root zone of the DNS is only a first step to more widespread DNSSEC deployment, but it's an important one. Incentivising registrants to sign their domains is also key, as is encouraging ISPs to enable DNSSEC validation in the recursive resolvers they provide to their subscribers.
You can continue to observe the steady increase in ccTLD DNSSEC adoption and DNSSEC validation adoption via our Pulse Enabling Technologies page.
Learn more about DNSSEC
About the DNS and DNSSEC
Just about every Internet communication starts with a Domain Name System (DNS) lookup. The DNS is an essential piece of Internet infrastructure that translates human-friendly names (internetsociety.org) into computer-friendly numbers (2001:41c8:20::b31a). Like many other components of the Internet, the DNS started out without any security features in a vastly different Internet landscape.
Today, security and trustworthiness are vital foundations for the ongoing evolution and growth of a robust Internet that benefits users everywhere. DNS Security Extensions (DNSSEC) was developed to provide an additional level of security using cryptographic techniques to validate the authenticity of DNS information.
Photo by Towfiqu barbhuiya on Unsplash