A Holistic and Collaborative Approach to DNS Security in the Asia Pacific Region

Vice President, ICANN Technical Engagement

On 15 – 16 April, I had the privilege to participate with other ICANN colleagues from the Asia Pacific (APAC) region at the Second ICANN APAC-Taiwan Network Information Center (TWNIC) Engagement Forum. It was held in a format that could be the default going forward: a combination of in-person and virtual participation. The forum highlighted the cooperation between ICANN and TWNIC, providing an opportunity for both organizations to share updates and perspectives on trends and evolutions of the unique identifier system. I was particularly pleased by the level of participation and the quality of the speakers and panelists.

Overall, a takeaway to highlight is that the Domain Name System (DNS) security part of the forum reinforced the importance of the shared responsibility that all actors bear in maintaining a secure and reliable Internet Infrastructure. Internet Service Providers (ISPs) naturally focus on protecting their infrastructure to ensure service availability for their customers. They are usually less interested in spending additional resources to implement DNS practices/features that do not positively contribute to their business revenue model. However, there are low-hanging fruits such as DNS Security Extensions (DNSSEC) validation that ISPs can turn ON without additional cost.

The three sessions I participated in focused on the DNS security threats and the evolution of the protocol to mitigate them. The first day’s High-level Opening Plenary centered around “The state of cybersecurity and its challenges including technology, legislation/regulation and cross-border jurisdiction”. We explored how well security best practices are being implemented, the state of Cybernorms agreement initiatives, and work done by organizations such as ICANN, the name Registries and Registrars, and the Regional Number Registries in coordinating the assignment and the use of unique identifiers while preventing their abuse.

Challenges around DNSSEC and Resource Public Key Infrastructure (RPKI) deployment were discussed, with a positive note showing that although the uptake has been slow so far, there are recent trends that project a regained interest by operators to embrace them as the risk landscape widens. The panel concluded by highlighting the importance of the shared responsibility in mitigating threats to Internet security. Initiatives such as Knowledge-Sharing and Instantiating Norms for DNS (KINDNS), Mutually Agreed Norms for Routing Security (MANRS), and others were also highlighted as good vehicles to further promote mutually agreed security practices and rally operators around their adoption.

The second panel I was on touched on DNS encryption. With experts from APNIC, TWNIC, and Chunghwa Telecom’s HiNet, we explored how the DNS as a protocol is evolving to address privacy issues, the experience of ISPs implementing DNS over HTTPS (DoH) in their service portfolio, and finally what future evolutions of DNS at the application level are likely to imply for the overall way the DNS service provisioning system works today. According to APNIC’s Geoff Huston, Internet service actors under economic pressure are increasingly likely to try to solve protocol security and privacy challenges directly at the application layer, so as to try to short-circuit the long and complex adoption cycle of new evolution at the core infrastructure level. That in turn will likely result in a fragmentation of the name space with each application running a private namespace whose scope is limited to their software. This is totally in the opposite direction of what we are working on today, which is to keep it globally unique.

Finally, on the last day, we took a deeper dive in a panel discussion focusing on DNSSEC and RPKI and covering operator, RIR, and ICANN perspectives.

While we have been pushing DNSSEC as one of the components of a secured DNS operation, there are many other layers that also need attention. ICANN plans to continue allocating resources to increase outreach toward all the players. Through initiatives such as KINDNS, DNS Security Facilitation Initiative (DSFI), DNS Demographics, and our ongoing capacity development programs, we hope to add our stone to the building of a little more secure use of the identifier system our mission requires us to help coordinate.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top