.nz signed zone published with obscured keys

At 10:00am on Monday November 21st NZDT, a signed version of the .nz zone went live, with the DNSKEY set obscured to prevent validation. This is our first deployment step according to our schedule.

The .nz zone was signed using a 1024-bit ZSK and 2048-bit KSK, algorithm 8 (RSA/SHA-256) and NSEC. The KSK lifetime will be one year and ZSK lifetime of three months.

Current obfuscated DNSKEY set looks like this:

nz. 3600 IN DNSKEY 257 3 8 BAABAAGwf++++THIS/IS/A/DELIBERATEDLY/INVALID/KEY/AND/SHOULD/NOT/BE/USED//FOR/INFO/CONTACT/SUPPORT/AT/NZRS/NET/NZ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++NZsP ; KSK, keytag 2517 nz. 3600 IN DNSKEY 256 3 8 BAABAAGD+++++THIS/IS/A/DELIBERATEDLY/INVALID/KEY/AND/SHOULD/NOT/BE/USED//FOR/INFO/CONTACT/SUPPORT/AT/NZRS/NET/NZ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++A0Am ; ZSK, keytag 27212

The keys will be obscured until December 9th. This date is tentative, depending on testing or unforeseen events preventing the transition to clear keys.