A Holistic and Collaborative Approach to DNS Security in the Asia Pacific Region

Vice President, ICANN Technical Engagement

On 15 – 16 April, I had the privilege to participate with other ICANN colleagues from the Asia Pacific (APAC) region at the Second ICANN APAC-Taiwan Network Information Center (TWNIC) Engagement Forum. It was held in a format that could be the default going forward: a combination of in-person and virtual participation. The forum highlighted the cooperation between ICANN and TWNIC, providing an opportunity for both organizations to share updates and perspectives on trends and evolutions of the unique identifier system. I was particularly pleased by the level of participation and the quality of the speakers and panelists.

Overall, a takeaway to highlight is that the Domain Name System (DNS) security part of the forum reinforced the importance of the shared responsibility that all actors bear in maintaining a secure and reliable Internet Infrastructure. Internet Service Providers (ISPs) naturally focus on protecting their infrastructure to ensure service availability for their customers. They are usually less interested in spending additional resources to implement DNS practices/features that do not positively contribute to their business revenue model. However, there are low-hanging fruits such as DNS Security Extensions (DNSSEC) validation that ISPs can turn ON without additional cost.

The three sessions I participated in focused on the DNS security threats and the evolution of the protocol to mitigate them. The first day’s High-level Opening Plenary centered around “The state of cybersecurity and its challenges including technology, legislation/regulation and cross-border jurisdiction”. We explored how well security best practices are being implemented, the state of Cybernorms agreement initiatives, and work done by organizations such as ICANN, the name Registries and Registrars, and the Regional Number Registries in coordinating the assignment and the use of unique identifiers while preventing their abuse.

Challenges around DNSSEC and Resource Public Key Infrastructure (RPKI) deployment were discussed, with a positive note showing that although the uptake has been slow so far, there are recent trends that project a regained interest by operators to embrace them as the risk landscape widens. The panel concluded by highlighting the importance of the shared responsibility in mitigating threats to Internet security. Initiatives such as Knowledge-Sharing and Instantiating Norms for DNS (KINDNS), Mutually Agreed Norms for Routing Security (MANRS), and others were also highlighted as good vehicles to further promote mutually agreed security practices and rally operators around their adoption.

The second panel I was on touched on DNS encryption. With experts from APNIC, TWNIC, and Chunghwa Telecom’s HiNet, we explored how the DNS as a protocol is evolving to address privacy issues, the experience of ISPs implementing DNS over HTTPS (DoH) in their service portfolio, and finally what future evolutions of DNS at the application level are likely to imply for the overall way the DNS service provisioning system works today. According to APNIC’s Geoff Huston, Internet service actors under economic pressure are increasingly likely to try to solve protocol security and privacy challenges directly at the application layer, so as to try to short-circuit the long and complex adoption cycle of new evolution at the core infrastructure level. That in turn will likely result in a fragmentation of the name space with each application running a private namespace whose scope is limited to their software. This is totally in the opposite direction of what we are working on today, which is to keep it globally unique.

Finally, on the last day, we took a deeper dive in a panel discussion focusing on DNSSEC and RPKI and covering operator, RIR, and ICANN perspectives.

While we have been pushing DNSSEC as one of the components of a secured DNS operation, there are many other layers that also need attention. ICANN plans to continue allocating resources to increase outreach toward all the players. Through initiatives such as KINDNS, DNS Security Facilitation Initiative (DSFI), DNS Demographics, and our ongoing capacity development programs, we hope to add our stone to the building of a little more secure use of the identifier system our mission requires us to help coordinate.



綜觀論壇兩天討論,與會者有志一同,認為維護安全、可信賴的網際網路基礎架構是所有利害關係人的共同責任。網路服務提供者(Internet Service Providers,ISPs)自然會專注於保護其基礎設施;以確保客戶能獲得應得的服務,然而,對於投入額外資源來導入DNS服務,他們通常不感興趣,因為這對於企業的收入並沒有顯著的貢獻。但是,現在有個相當容易達成的方法,例如網域名稱系統安全擴充(Domain Name System Security Extension,DNSSEC),ISP只需將它啟用,並不需要花費任何額外的成本。


議程中,講者們也點出推廣DNSSEC及資源公鑰基礎建設(Resource Public Key Infrastructure,RPKI)面臨的挑戰。樂觀的發現是,雖然成長緩慢,但最近趨勢顯示,隨著網路風險樣態逐步拓展,網路營運人員又重新發現這些網路安全協定的好處。座談總結強調了共同責任對於減輕網路安全威脅的重要性,例如DNS知識共用與即時規範(Knowledge-sharing and Instantiating Norms for DNS and Naming Security,KINDNS)及MANRS(Mutually Agreed Norms for Routing Security)等,都是極佳的工具,得以進一步促進相互協議的安全做法,同時鼓勵網路營運人員響應採用。

第二場議程聚焦於DNS加密技術及相關安全議題,我們與來自APNIC、TWNIC及中華電信HiNet的專家一起探討,DNS作為一項協定是如何演變以解決隱私問題,例如ISP設置DoH(DNS over HTTPs)的經驗分享,以及將DNS推向應用層面的類似加密技術,將如何影響DNS的未來發展。APNIC首席科學家Geoff Huston指出,在財務壓力下,這種「在應用層次解決隱私安全問題」的傾向,很可能改造既有的網際網路架構,由於各家業者希望把使用者侷限在自己能全權掌握的私有域名空間,這將導致現有全球互通的單一域名空間進一步分裂,同時也與ICANN及多數網路社群所抱持的立場——確保網路的單一全球互通性背道而馳。

在論壇最後一天,我所參加的第三場座談,則是再次深入探討DNSSEC與RPKI的推廣挑戰,當中也涵蓋了網路營運商、區域網際網路註冊機構(Regional Internet Registry,RIR),以及ICANN 的觀點。

雖然ICANN持續在推動 DNSSEC 作為安全的 DNS 操作元件之一,但DNS其他層面也很重要。ICANN規劃持續運用資源接觸所有利害關係人,透過如KINDNS、DNS 安全協調計畫(DNS Security Facilitation Initiative,DSFI)、DNS統計量測公布計畫(DNS Demographics dashboard project)及其他培力訓練課程,希望可以為打造安全的識別碼系統貢獻一己之力。

Scroll to Top