The .dz Zone: Algeria’s Digital Namespace

The .dz Zone: Algeria’s Digital Namespace

Every website ending in .dz — from government portals like mfdgi.gov.dz to commercial sites like mobilis.dz — depends on a chain of DNS (Domain Name System) servers that translate human-readable addresses into IP addresses. At the top of this chain for Algeria sits CERIST (Centre de Recherche sur l’Information Scientifique et Technique), which has managed the .dz country-code top-level domain (ccTLD) since its delegation by IANA on January 3, 1994. CERIST operates the authoritative name servers for the .dz zone through its NIC.dz subdivision, controls the registry database, and sets the policies for who can register .dz domains and under what conditions.

The .dz namespace is structured with ten second-level domains: .com.dz (commercial), .gov.dz (government), .org.dz (organizations), .edu.dz (education), .net.dz (network operators), .asso.dz (associations), .pol.dz (political parties), .art.dz (artistic professions), .tm.dz (trademark holders abroad), and .soc.dz (individual trademarks). As of December 2024, the total number of registered .dz domains stood at 17,989 — remarkably small compared to Morocco’s .ma (over 118,000 registrations as of mid-2024) or Tunisia’s .tn (over 66,500 as of September 2025). This low adoption reflects both restrictive registration policies (requiring Algerian trade register documentation) and the preference of many Algerian businesses for .com domains registered through international registrars.

But the security implications of the .dz zone extend far beyond registration numbers. The DNS infrastructure underpinning every .dz domain is a critical national resource. If compromised, attackers could redirect users of Algerian government services, banking portals, or telecommunications platforms to malicious servers — intercepting credentials, deploying malware, or disrupting services entirely.

DNSSEC Adoption: The Near-Zero Problem

DNSSEC (Domain Name System Security Extensions) is the primary defense against DNS spoofing and cache poisoning attacks. It works by cryptographically signing DNS records, allowing resolving servers to verify that the DNS response they received actually came from the authoritative server and was not tampered with in transit. Without DNSSEC, an attacker who can intercept or manipulate DNS traffic (through man-in-the-middle attacks, compromised resolvers, or BGP hijacking) can redirect users to fraudulent websites that appear legitimate.

CERIST signed the .dz zone with DNSSEC around 2022, publishing DS records in the root zone and establishing a cryptographic chain of trust from the root DNS servers down through .dz. This was an important milestone — but signing the zone is only the first link in the chain. According to the Internet Society’s Pulse data for Algeria, less than 1% of individual .dz domains are protected with DNSSEC, falling below even the 2% average across Africa. Equally concerning, only about 29% of DNS queries from Algerian networks benefit from DNSSEC validation, well below the African average of 48%. In practice, this means that while the .dz zone itself can be validated, almost no individual .dz domain records are signed, and most Algerian users’ DNS resolvers do not perform DNSSEC validation anyway.

Algeria was a latecomer to DNSSEC. By contrast, Tunisia’s .tn became one of Africa’s early adopters when it was DNSSEC-signed in September 2014, with the Agence Tunisienne d’Internet overseeing the transition. Morocco’s .ma followed in February 2016, with the ANRT (Agence Nationale de Reglementation des Telecommunications) managing the deployment. Globally, over 90% of ccTLDs are now signed with DNSSEC. Algeria’s zone-level signing closed a major gap, but the near-zero individual domain adoption and low validation rates among Algerian ISP resolvers mean the security benefits remain largely theoretical. The technical barriers to driving adoption are well understood — the RIPE NCC, ICANN, and AFRINIC all offer free technical assistance programs. The gap is one of institutional follow-through and ISP engagement, not capability.

Domain Hijacking Risks and Registry Infrastructure

Domain hijacking — the unauthorized transfer or modification of a domain’s DNS records — is a high-impact attack that can redirect an organization’s entire web presence and email to attacker-controlled infrastructure. The Sea Turtle campaign, attributed to a state-sponsored group and active since at least January 2017, hijacked DNS records of government organizations across the Middle East and North Africa by compromising domain registrars and DNS administrators. First documented by Cisco Talos in April 2019, the campaign compromised at least 40 organizations across 13 countries. While no confirmed .dz domains were among the publicly documented targets, the attack methodology — targeting the registrar rather than individual domains — is directly applicable to the .dz ecosystem.

CERIST’s registry infrastructure runs authoritative DNS servers for the .dz zone. According to IANA’s root zone database, the .dz zone is currently served by six name servers: ns1.nic.dz, ns2.nic.dz, ns4.nic.dz, and ns5.nic.dz (operated by CERIST), ns3.nic.fr (hosted by AFNIC in France), and ns-dz.afrinic.net (hosted by AFRINIC). This provides some geographic distribution beyond Algeria, though less diversity than comparable ccTLDs. For comparison, Morocco’s .ma zone uses eight name servers including nodes hosted by INRIA in France, providing broader redundancy and DDoS resilience. While CERIST’s infrastructure is more distributed than a purely domestic setup, further diversification through anycast deployment would strengthen resilience against sustained volumetric attacks.

The .dz domain registration process itself, while restrictive, does not appear to mandate registrant-side security measures such as registry lock (a mechanism that prevents unauthorized changes to critical domain records without out-of-band verification). Major TLD operators globally have adopted registry lock services for high-value domains — particularly government and financial institutions. Implementing an equivalent service for .gov.dz and .com.dz domains hosting critical services would significantly reduce hijacking risk. CERIST should also consider requiring two-factor authentication for all registrant management portals and implementing zone file change monitoring with automated alerts.

Closing the Gap: Recommendations for .dz Zone Security

With the .dz zone now DNSSEC-signed, the most impactful next step is driving DNSSEC adoption at the individual domain level. CERIST should require DNSSEC signing for all .gov.dz domains as a mandatory baseline, then extend the requirement to .edu.dz and financial sector domains under .com.dz. This requires establishing streamlined processes for registrants to submit DS records, providing technical documentation and support, and potentially automating DNSSEC key management through integration with registrar systems. CERIST can draw on ICANN’s DNSSEC deployment initiative and AFRINIC’s capacity-building programs, both of which have guided African ccTLD operators through similar adoption drives.

Equally critical is improving DNSSEC validation on the resolver side. Algeria’s major ISPs — including Algerie Telecom, Djezzy, and Ooredoo — should enable DNSSEC validation on their recursive resolvers. Without validation-capable resolvers, DNSSEC-signed domains offer no protection to end users. ARPCE (Autorite de Regulation de la Poste et des Communications Electroniques), as Algeria’s telecommunications regulator, is well positioned to mandate or incentivize DNSSEC validation across licensed operators.

Second, CERIST should further diversify its authoritative DNS infrastructure by deploying additional secondary name servers on anycast networks. While the current setup includes servers hosted by AFRINIC and AFNIC, additional diversity through Packet Clearing House’s anycast DNS service — which provides free secondary DNS to developing-country ccTLD registries and currently serves over 110 nations — would further strengthen DDoS resilience and query performance.

Third, at the policy level, Algeria should establish a domain security framework requiring registry lock for all .gov.dz domains, mandatory DNSSEC for government and financial sector domains, and regular security audits of the registry infrastructure. CERIST’s dual role as both a research center under the Ministry of Higher Education and the .dz registry operator is unusual internationally — most countries have either delegated ccTLD management to a dedicated entity or established clear governance separation. A governance review examining whether this dual mandate serves Algeria’s DNS security interests would be timely. The .dz zone is a national asset; its security posture should reflect that status.

Frequently Asked Questions

Sources & Further Reading

• CERIST – .dz Domain Registry (NIC.dz)
• IANA – .dz Domain Delegation Data
• Internet Society Pulse – Algeria Country Report
• Internet Society – Tunisia Signs .TN with DNSSEC (September 2014)
• ICANN – DNSSEC Deployment Report for ccTLDs
• Cisco Talos – Sea Turtle DNS Hijacking Campaign
• AFRINIC – DNS Support Programme for African ccTLDs
• Packet Clearing House – Anycast DNS Services
• ARPCE – Algeria Telecommunications Regulator
• Internet Society – DNSSEC Deployment Maps