An Insider’s Look: DNS Security at the 7th Africa DNS Forum

by Joe Abley, Chief Technology Officer, Public Interest Registry

Nestled between Kgale and Oodi Hills on the Notwane River, under blue skies and cooled delicately by a fresh winter breeze, scenic Gabrone in Botswana was the African oasis for several hundred delegates as they convened for the 7th annual Africa DNS Forum. Started in 2013, the Africa DNS Forum was organised this year by the Africa Top Level Domains Organisation (AfTLD), the AfRegistrar Association and the Internet Corporation for Assigned Names and Numbers (ICANN).The event took place from 22 – 24 July 2019 at the Avani hotel. Part of PIR’s mission as a registry operator is to understand and inform the wider global industry in which we operate through participation in these kinds of industry events.

The Africa DNS Forum attracts participants from all over the continent, across the spectrum of registrars, country-code and generic Top-Level Domains (gTLD) registries, policymakers, regulators and operators. Registrars are organisations that manage the registration of internet domain names for one or more TLDs while registries operate and maintain the administrative data for one or more TLDs. I was invited to participate in a panel leading a discussion about Domain Name System (DNS) security with Angela Matlapeng of the Botswana Communications Regulatory Authority (BOCRA), Michele Neylon of the registrar Blacknight and Kevin Chege of the Internet Society (ISOC).

For a long time, discussions about security in the DNS have revolved around DNSSEC: the benefits, success stories in deployment and what we can do to encourage more of it. The DNSSEC protocol protects against forms of domain hijacking and provides an important component in a layered defence strategy for anybody wanting to make sure their online presence is secure and trusted. The nice thing about conversations with a more business-focused group is that we can talk more broadly about the subject of security. DNSSEC plays an important part of securing particular aspects of the infrastructure, but if we consider the whole spectrum of risk to people who register domain names and to Internet users in general, it’s clear that there are other areas that also need attention. In this session we focused on two main topics: 1) the upswing of interest in end-user privacy and the ongoing effort to standardise encrypted DNS transport protocols, and 2) the importance of strong authentication in the systems and services provided by DNS registries and registrars.

In the last decade since DNSSEC was launched in the root zone of the DNS, we have seen much deployment, although arguably not as much as we would have liked. DNSSEC is far from ubiquitous in registries and registrars, and even when it’s available it’s often not used. Although there is always more work to do in education, what becomes clearer every year is that there is a tension between cost and benefit that does not always result in a straightforward business case in favour of deployment. The people who bear the costs are not the ones who see the benefit, and the people who see the benefit can’t always tell that it’s there. It turns out this is not a recipe for universal admiration.

A different set of tensions surround the issue of DNS privacy, none of which are new and almost all of which are predictable. In the DNS, this tension has most recently been seen between individual end-users of the Internet and the operators of the networks they use. An individual might have an expectation of privacy when they use the Internet, and the way in which a user uses the DNS can sometimes reveal patterns or destinations that they would prefer not to disclose. A network operator, on the other hand, might want to monitor and in some cases control the use of the DNS on behalf of the end-user: think of an office network manager who wants to stop staff laptops from downloading viruses by blocking the domain names used to host them, or parents who want to try and make sure their children at home can’t visit web sites that host unsuitable content. Each of the people in these examples have legitimate reasons for wanting reasonable things, but privacy and control aren’t always compatible: you typically can’t have both. There’s a tension.

When it comes to strong authentication, there’s a third set of tensions to think about. As has been thoroughly explored in some recent, high-profile events, it’s vitally important that people’s domain name assets are secure. You can pour any amount of money into DNSSEC, into network and data security and your investment won’t matter if an attacker can log in to your account and point your domain at their own servers. Even worse, you might not notice that your domain has been meddled with, which most likely means access to your e-mail—and every other system that lets you reset a password with an e-mail which, let’s face it, is probably most of them.

Strong authentication is not just for registrars and registrants—it’s for everybody who uses any service where access is controlled. But the impact of weak authentication is especially harsh when it comes to domain names, since the consequences of losing control are so serious. The tension was highlighted by Michele who noted, based on his experience as a registrar, the more complicated you make it for someone to log in, the harder they find your service to use and the more likely they are to take their business elsewhere. The need to protect the customer is sometimes in conflict with the need not to lose the customer.

All of these examples demonstrate different tensions, and each of them illustrates an end-goal that is either hard to agree on or hard to reach. It’s clear that more work is required; the difficulty sometimes is recognising that not all of these problems have technical solutions. To address these challenges objectively and comprehensively requires a broad set of backgrounds and perspectives and in some cases the ability to recognise that you cannot find a solution that will please everybody. Success is sometimes first understanding that a problem is hard, and then not being afraid to look for solutions. The Africa DNS Forum is a gathering of different people who understand the industry policy, business, technology and civil society. We gather to identify and productively work towards solving issues, contributing to the smooth operation of the Internet.