The domain name system is a key building block of the Internet, translating Internet Protocol addresses to host names. DNSSEC is used to protect the translation process and prevent hackers from tampering with information and redirecting Web traffic. DNSSEC defines how DNS records can be digitally "signed" using public key cryptography.
"DNSSEC adoption is a complicated process -- the infrastructure as well as the applications need to be able to handle it. Having DNSSEC implemented on DNS servers means little if there is no indication for a user that the site they are currently browsing has a signed DNS record or not," said Calvin Browne, a director at UniForum, the .co.za registry.
African registries face the challenge of implementation capability because most of them are not fully automated -- only Nigeria and Namibia have fully automated registries.
"If their current registry platform does not support DNSSEC, then it is not possible for that registry to implement DNSSEC. The registry would have to wait for an upgrade of the platform to one that supports DNSSEC," said Ndukwe Kalu, president of the Nigeria Internet Registration Authority.
The issue of registry ownership is a major challenge for many African countries. The re-delegation process takes time because most of them do not have the technical requirements to facilitate a smooth transfer, while others are chasing the people holding their domains to discuss how to train the people and transfer the domains.
"When a country is not in control of the ccTLD, the implementation of DNSSEC would not be a priority; Africa must set a road map to have all ccTLDs managed locally in two years. This is very achievable," added Kalu.
Globally, the Internet Corporation for Assigned Names and Numbers has taken a clear stand on DNSSEC deployment with test beds and research on deployment; this will definitely encourage registries, said Vika Mpisane, the president of the Africa Top Level Domain organization.
DNSSEC requires the root zone to be signed, which is coordinated by ICANN, and then others in the chain, such as registries and ISPs, can follow.
"To complete the loop to the client, the distribution chain for DNS queries has to be DNSSEC-capable as well. Name servers of registrars, ISPs and other name server providers must be DNS-capable," Kalu said.
Recently, ICANN announced that it will work with the U.S. Department of Commerce's National Telecommunications and Information Administration (NTIA), the National Institute of Standards and Technology (NIST) and VeriSign on an operationally signed root zone this year.
The challenge of human capacity and awareness, cost of deployment, and lack of customer demand has affected Africa. For instance, in Kenya, out of 800 techies who are members of the skunkworks mailing list, only one can do DNSSEC validation for a client.
AfTLD and AfriNIC have identified this gap and have undertaken training on the importance of implementation, although the issue is part of the wider security challenge that most registries face.
The general lack of awareness and understanding of DNSSEC has led to over-estimation of the expense and difficulty of implementation, with registries choosing to handle the basics such as automation and re-delegation first.
"There are other challenges that are unique to Africa such as low penetration, which leads to smaller user base. These are also our advantages when it comes to implementation and training," Browne said.
A 2007 DNSSEC study by ICANN involving 18 African ccTLDs found that most registries are likely to adopt DNSSEC, mostly to improve business confidence in the Internet and to help minimize fraudulent use of the Internet.
The study also found that the fact the root is not signed was considered an obstacle by some registries globally. The complexity of the technology, particularly for the end-user, was also identified as a common problem for registry operators.