A look at DNSSEC in AFRICA

A look at DNSSEC in Africa

By Adeola A. P. AINA
March, 2023

Tracking DNSSEC deployment has been a continuous activity since DNSSEC-bis protocols set became available. Several efforts and initiatives were launched to help with the sensitization, adoption, and deployment. In AFRICA, the DNSSEC roadshow project was conducted between 2013 to 2017 in accordance with ICANN African strategy. More details at https://dnssec-africa.org.

“Here we use the data collected there and from other sources to have a look at DNSSEC in AFRICA”.

According to “dnssec-africa.org”, seen on 21 March 2023, twenty-four (24) ccTLDs were signed with DS in root zone, three (3) ccTLDs were signed without DS in root zone and thirty-one (31) ccTLDs remained unsigned. Under the signed zones, ten (10) took place in the last 5 years (2018-2023). The 1st signed ccTLD traced back to 2009.

The evolution has been tricky. “.bw” and “.mg” which were signed with DS in root zone respectively in 2015 and 2016 went unsigned in 2022 and 2020.

September 2022, “.ke” went unsigned, back signed, and now with DS in the root zone again few days ago. “.zm” which published DS in the root zone in 2015, also went unsigned sometimes in 2019 and came back with DS in the root zone again few days ago.

“.et” has been signed since 2019 but has never published DS in root zone.

Looking at the signing algorithms, algorithm 8 (RSA/SHA-256) is still the preferred far ahead of algorithm 13 (ECDSA Curve P-256 with SHA-256).

Beyond signing TLDs, the visibility on DNSSEC registrations remains very low. Limited statistics are available on signed delegations. Seen on the 21st March 2023, “.tz” showed 809 signed domains on a total of 27,710 names (2,92%) . “.za” showed 8,894 signed domains on a total of 1,373,287 (0.65%).

On the gTLD side, the 4 TLDs on the continent show DNSSEC statistics as below:

.africa|148,837|262|0.18% ; .capetown|4,255|17|0.40% ; .joburg|3,059|9|0.29% ; .durban|2,547|4|0.16%

For the rDNS, AFRINIC indicates a total 570 domain objects with DS records for a total of 5,889 prefixes both v4 (4,621) and v6 (1,268) distributed. Some increase over years, but far below expectations.

Fig1. Number of signed RDNS zones recorded by year cumulative.

As for who is doing DNSSEC in the rDNS namespace, four countries lead with 95% of the total signed domains. ZA counts 300 domains; TN 187; DJ 34 and SS 21.

ccTLDs are ranked number 2 as member’s category with the most signed domains. The four countries leading DNSSEC in the rDNS have had their ccTLD signed with DS in root zone at least since 2019.

Fig2. Number of signed RDNS zones recorded by members industry.

With regards to DNSSEC validation, AFRICA is doing 30.72% compared to 31.36% for the world. Southern AFRICA and Middle Africa are leading while Western Africa doing the least.

In a nutshell, limited to no progress is observed. ccTLDs need to do more, but in a more sustainable way. Most of them must embrace the signing. The gTLDs have DNSSEC services to offer. TLDs should not only sign their zones, but also convince their respective communities of the importance of having a good DNS hygiene. All together could unveil a market for domain names security.

Other sources:

https://karibu.tz

https://stats.dnssec-tools.org/#/

https://stats.afrinic.net/dnssec

https://stats.labs.apnic.net/dnssec