Domain Name Service (Pty) Ltd (DNS-ZA) is the technical service provider to the ZA Central Registry (ZACR) and the .ZA Domain Name Authority (ZADNA). With over 20 years experience in the .ZA space, we provide the core technical registry back-end systems and services for zones such as CO.ZA, ORG.ZA and .AFRICA. The article published on MyBroadband, on 8 April 2019, caused quite a stir and the DNS-ZA team would like to add its voice to the debate and clarify a few misunderstandings.
First off, and let’s be clear about this, the .ZA domain is not a security disaster waiting to happen… no more so than any other TLD in the world. A team of highly competent and experienced technicians and administrators continues to look after the well being of .ZA domains especially in light of the recent security threats faced by the global DNS industry. .ZA remains the most relevant and trusted domain for South Africans… and rightly so.
That said, the article published in MyBroadband on 8 April 2019 does raise a number of critically important issues and should be commended for creating much needed awareness about the importance of DNS security. While the headline may be a bit alarmist and unnecessary in our view, the article itself does touch on critical aspects of DNS security architecture that require more attention and support from the local and global domain name communities, including DNSSec, Domain Lock and Multi-Factor Authentication. These technologies are by no means the silver bullet to slay all DNS related security issues, but they do go a long way in ensuring the integrity and trust of the DNS and how this impacts the consumer.
DNS attacks can be highly complex and may present serious commercial risks to governments, businesses and consumers as was seen in the recent wave of DNS attacks linked to a suspected Iranian hacker group. While we must take these risks very seriously, we do not necessarily agree with everything contained in the MyBroadband article, in particular the author’s focus on the “Transitive Trust” issue as being the cornerstone of .ZA’s purported security maladies. Reducing the complexity and diversity of the .ZA DNS server infrastructure is a double edge sword and is perhaps an oversimplification of the broader security and performance challenges faced by a stable, reliable and secure DNS.
The gist of the “Transitive Trust” debate is that having a smaller attack surface is superior to having a larger attack surface when it comes to selecting a DNS server implementation. The truth is more complicated, and both methodologies have their advantages and disadvantages. For example, a smaller attack surface may be easier to secure and protect, but the consequences of an attack or mistake could be catastrophic, bringing down the entire infrastructure (via single points of failure). A more distributed DNS infrastructure, coupled with the implementation of additional security measures, may present a larger attack surface but with the benefit that any resulting damage could be limited and better contained.
The best experts in the world can and do have differences of opinion in terms of what would constitute the most suitable approach to DNS server implementations. The ideal architecture really depends on what risks the registry operator is attempting to mitigate. In this regard there are several potential vulnerabilities that could be the target of DNS malfeasance, including DNS Poisoning & Spoofing and DNS DDos attacks (to name a few). The focus of the MyBroadband article is essentially the former and does not address the very real dangers and concerns of the latter. In terms of DNS server implementation, the trick is to strike a balance between simplicity and diversity.
Considering the evolving nature of the DNS and the security threats we constantly face, we will continue to work with our registry clients, both in South Africa and internationally, to improve the security and performance of their registry systems. After becoming aware of the latest wave of DNS attacks at the end of 2018, we have implemented several changes to our existing registry technology and infrastructure and we identified other areas where further changes would be appropriate. From the perspective of the “Transitive Trust” debate we believe that the DNS server infrastructure for .ZA will benefit from further rationalisation and improved controls.
DNS server architecture aside, we believe that the adoption and support of DNSsec remains one of the most important security factors to protect the integrity and trust of .ZA domains going forward. The adoption of DNSSec has been a long and arduous journey, but we are making good progress as a country. As indicated in the MyBroadband article, South Africa is currently well ahead of the global DNSSec adoption curve with “validation” rates nearly double that of the global average. This is thanks, in no small part, to the pioneering efforts of a few progressive South African network and access providers, including Telkom, Optinet, Cipherwave, Neology and Skyfi,among others.
DNSSec is readily available and supported in .ZA. It is high time that domain name customers and Internet users start insisting on the use of DNSSec from their service providers and registrars in order to minimise any future security risks.
AS a matter of interest, we are also in advanced discussions with the ZACR to determine ways of implementing and promoting Domain Lock and Multi-Factor Authentication for all their second level and generic domains. Watch this space.