The Coalition

Our Story

What We Do

Our Guiding Principles

Initiatives

Partners

Join Us

News

Blogs

Press Releases

Announcements

Media Mentions

Events

Resources

EN | FR

nav button

Project Update

Monday 9 June 2025

DNSSEC in Practice: Operational Lessons from .bf and .cm

DNSSEC in Practice: Operational Lessons from .bf and .cm

Author: Yazid AKANHO, Technical Engagement Manager, MEA Region, ICANN.

Contributors:

  1. Alain AINA, General Manager, Digital Intelligence Services and CDA DNSSEC Roadshow Consultant.
  2. Albert KAMGA, Director, Standardization and Cooperation, Agence Nationale des Technologies de l'Information et de la Communication (ANTIC), Cameroon.
  3. Izaï TOE, Executive Secretary, Association Burkinabè des Domaines Internet (ABDI), Burkina Faso.

The successful deployment of Domain Name System Security Extensions (DNSSEC) by Burkina Faso’s .bf and Cameroon’s .cm country code top-level domain names (ccTLDs) is the result of months of detailed technical work and sustained operational improvements in the two ccTLD infrastructures. Both registries, supported by the Coalition for Digital Africa’s DNSSEC Roadshow, are now DNSSEC operational. They are publishing signed zones with an established chain of trust, enabling resolvers to validate the authenticity of data origin for these domains across the Internet.

While the outcome was the same, the paths each registry followed reflect how the internal conditions of an organization – team structures, infrastructure maturity, and process readiness – can shape the DNSSEC deployment journey.

This blog explores the key differences between the two approaches and highlights practical insights for other ccTLDs preparing to implement DNSSEC.

 

Different Starting Points

Before the DNSSEC Roadshow engagement began in mid-2023, Burkina Faso’s ccTLD manager, Autorité de Régulation des Communications Électroniques et des Postes (ARCEP), brought in a new technical platform operator, Association Burkinabè des Domaines Internet (ABDI). At the start of the project, core operational systems and procedures needed to be improved in parallel with the DNSSEC effort.

In contrast, Cameroon’s registry, managed by Agence Nationale des Technologies de l'Information et de la Communication (ANTIC), began the process in April 2024 with established teams and infrastructure. Although improvements were needed, the organizational and operational base was already established, allowing the project to proceed with less preliminary work.

These initial differences had a direct impact on the sequencing and pace of deployment.

 

Implementation Approaches

In Burkina Faso:

  • The early focus was on setting up internal structures, formalizing operational responsibilities, and improving the DNS infrastructure.
  • After pre-assessment, the registry conducted a multi-phase process: onsite awareness-raising and technical training, testbed deployment, cryptography training, infrastructure upgrades, and system monitoring.
  • DNSSEC signing was introduced only after all operational prerequisites were satisfied.

In Cameroon:

  • Following a pre-assessment and participation in a regional cryptography training, the registry moved rapidly from testing to production.
  • ANTIC assigned a dedicated five-person team with knowledge and experience in DNS operations, Public Key Infrastructure (PKI) administration, system security, and incident response.
  • The team conducted infrastructure improvements and DNSSEC signing workstreams simultaneously.

Both registries used similar technical frameworks, but internal organization and starting conditions shaped how quickly and smoothly deployment progressed.

 

Lessons for Future DNSSEC Deployments

Several clear lessons emerged from the deployment experiences of .bf and .cm:

  • Effective pre-assessment is critical. Identifying gaps early, whether in infrastructure, monitoring, or documentation, ensures that deployment work is correctly scoped and sequenced.
  • Internal structure accelerates deployment. When team roles and responsibilities, decision-making processes, and operational procedures are clear, DNSSEC can be integrated more quickly.
  • Infrastructure readiness matters. DNSSEC assumes a functioning, monitored, and documented DNS system. When systems are stable, progress is faster. When systems are incomplete, additional time and effort are required to build them out.
  • Proper and disciplined follow-up is crucial. The success of DNSSEC deployment highly depends on how the implementation journey is managed. It is important to consider assigning a dedicated project manager at the registry with a mandate to conduct the project, plan and coordinate resources, and manage risks and communication between stakeholders.
  • DNSSEC documentation is mandatory, not optional. Long-term stability of the registry operations relies on thorough DNNSEC documentation.

 

Beyond Timelines

The comparison between .bf and .cm is not about speed. Both projects succeeded because they were structured realistically, aligned to local operational capacity, and supported with focused external technical guidance.

The deployments reinforce that DNSSEC is not a stand-alone technical upgrade. It is an operational commitment. Successful deployment depends on the registry’s ability to manage and maintain key signing systems, monitor infrastructures, produce and update procedures, and respond to evolving threats over time.

Registries preparing for deployment should focus less on rapid implementation and more on ensuring that the conditions for secure, ongoing operations are in place before signing begins.

Burkina Faso and Cameroon have each demonstrated that with the right preparation, targeted support, and organizational leadership, DNSSEC deployment can succeed. Their experience offers a practical model for other ccTLDs working to strengthen their infrastructure in the years ahead.