Asian TLDs bide their time on DNSSEC

The Thai registry has adopted a new protocol that is touted to provide added security to the Internet's Domain Name System (DNS), but its counterparts in the region are taking their time to test and ensure an effective ecosystem is in place before implementation.
According to a newsletter published by the DNS Security Extensions (DNSSEC) Deployment Coordination Initiative, Thailand's ".th" became the first country code top-level domain (ccTLD) in Asia to adopt the security protocol.
DNSSEC introduces security at the infrastructure level, encrypting DNS records using cryptographic signatures. The protocol has been established for years, but came into the spotlight again last year when security researcher Dan Kaminsky identified a fundamental flaw in the DNS. At that time, Cambridge University security expert Richard Clayton said the use of the encrypted protocol is one way to mediate the security loophole.
Pensri Arunwatanamongkol, technical contact for the Thai Network Information Center (THNIC), said in an e-mail interview the center has been concerned with DNS security and stability for "quite some time". The decision to adopt DNSSEC was made by THNIC's Board in 2006.
Prior to its deployment of DNSSEC in February 2009, THNIC had co-hosted two DNSSEC workshops, with support from the Network Startup Resource Center, to train its engineers as well as those managing neighboring ccTLDs, she noted.
According to Arunwatanamongkol, THNIC had to replace one of its ".th" secondary name servers as the system was unable to support the DNSSEC protocol. The center also added two new machines--one for cryptographic key management, and another for increasing the link bandwidth to support DNSSEC.
"DNSSEC needs a lot more work compared with the normal DNS but once you've done the learning and automated all processes, there is nothing to worry about," she said. However, network centers running on processes that are still largely manual will find DNSSEC operations "more complicated".
"In the DNSSEC world, it's an important thing [to] do it right, otherwise, it will easily fail," she cautioned, adding that tapping experts would help ensure a successful implementation.
Need to ensure reliability
Organizations in the region, however, are still evaluating the protocol and may not necessarily follow in Thailand's footsteps soon, domain experts told ZDNet Asia.
Asia-Pacific Top Level Domain Association Chair Jonathan Shea noted that the adoption of DNSSEC and efforts to fully realize its potential will not be a trivial undertaking, in terms of resources and technical expertise.
"The stability and reliability of the DNS are of utmost importance to the ccTLD registries," he explained. "Therefore, like other new technological developments, many ccTLD registries want to test out DNSSEC thoroughly before adopting it. A lot of testing is going on now."
According to Shea, the endeavor is expected to take a few years. Some registries, he pointed out, may eventually decide not to adopt it.
Edmon Chung, CEO of DotAsia, said the registry operator of the ".asia" generic top-level domain has been studying and working on DNSSEC deployment but is "not rushing" to implement.
"Rather than simply deploying DNSSEC at the '.asia' TLD servers, we believe it is important that an end-to-end infrastructure is in place before DNSSEC can really make a difference," Chung said. This, he added, encompasses signing at the root, as well as gaining support for DNSSEC from ISPs, browser makers, registrars and hosts.
"Even if...the registry deploys DNSSEC, if the registrar does not have the system to allow registrants to submit DNSSEC keys, or if the hosting environment the registrant uses does not support DNSSEC, the utility of DNSSEC is greatly reduced," he explained. "It could even provide a false sense of security for users."
DotAsia is also looking at whether the security protocol can be extended to the browser level, where there should be an indication to online users that DNSSEC has been deployed, he said. This practice would be similar to how sites that have implemented SSL certificates are clearly marked out.
"Signing the '.asia' TLD [with DNSSEC] is good and it is great to see more and more TLDs...but equally important, and perhaps even more importantly, we feel that the more urgent matters are [to ensure] overall support for DNSSEC. And that is what DotAsia will be focusing our efforts on at this time," noted Chung, adding that while his organization plans to establish a timeframe to adopt DNSSEC, its priority now is focused on efforts "to make the deployment meaningful".