The Internet Standards, Security and Safety Coalition (IS3C) have recently released a report that functions as a new set of key arguments advocating for DNSSEC and RPKI implementation that can be presented to decision-makers. The report by IS3C’s expert-led Working Group 8 (WG8) highlights how leaders in both public and private organizations are influenced by factors beyond the purely technical that technical advocates may not be prepared to address. Essentially, the report offers alternative narratives that may convince decision-makers to deploy.
Why is a new narrative needed?
The Domain Name System (DNS) and the routing system are fundamental to how the Internet works, enabling traffic to flow between devices and websites. However, these technologies were created in an era with minimal focus on security, leaving them vulnerable to malicious attacks and accidental misconfigurations. To address these vulnerabilities, DNSSEC and RPKI standards were developed.
Despite their importance, global adoption of DNSSEC and RPKI remains inconsistent. APNIC Labs publishes data on current deployment globally, regionally, at the economy level, and even down to individual Autonomous System Numbers (ASNs). Examples of this data are shown in Figures 1 and 2.
There has been significant discussion about how to encourage further deployment of these standards worldwide.
Traditional advocacy and why it sometimes fails
The report highlights six key arguments traditionally used to encourage the deployment of DNSSEC and RPKI: Regulatory compliance, mitigating DNS abuse, improving Internet resilience, building customer trust, reducing cyber insurance premiums, and protecting national security and critical infrastructure.
However, common challenges to these arguments include perceived high costs, technical complexity, low awareness of risks and benefits, and a shortage of skilled staff. Additionally, complacency about existing security measures and organizational priorities often delays resource allocation for these initiatives, particularly in large organizations with complex decision-making processes.
So, what’s a better approach?
The report suggests an approach focusing on adopting and deploying RPKI and DNSSEC as a strategic investment in their core business. One that not only safeguards vital information but also enhances trust in their services. As the report states, decision-makers at the top of organizational hierarchies will consider “Why should they approve the allocation of resources necessary to adopt and deploy both DNSSEC and RPKI?” To answer that question, the report offers these suggestions:
- The deployment of DNSSEC and RPKI represents a crucial foundation for national cybersecurity resilience, providing cryptographic protection when it comes to the authorization of critical Internet number resources, which helps safeguard the online delivery of public services, citizens’ data, and national security assets.
- The implementation of DNSSEC and RPKI represents a strategic approach to regulatory compliance and cybersecurity best practices, providing demonstrable technical controls that protect data integrity and infrastructure reliability — key requirements across global regulatory frameworks and industry standards.
- For commercial organizations, the deployment of DNSSEC and RPKI offers compelling security and business advantages that directly impact the bottom line while protecting critical infrastructure. These technologies provide essential safeguards against increasingly sophisticated cyber threats by ensuring the authenticity and integrity of Internet routing and domain name resolution.
- Each user/organization holds a moral obligation to uphold these standards for the benefit of society as a whole.
Building on research in 2019, before WG8’s formation, and further refined through collaboration with global experts in 2024, the report expands on these arguments in ways designed to appeal to decision-makers across industry and government. I encourage anyone approaching organizational leadership with the goal of deploying these critical security standards to read the report in full.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.