DNSSEC

DNSSEC is a set of security extensions to DNS that add digital signatures to the data that we publish and a mechanism for finding and verifying the keys used to verify these signatures.  We have been extensively involved in the development of DNSSEC standards and tools and the signing of the root nameservers, and have now turned our attention to signing .nz and our second level zones. 

Detailed below are the dates for deployment of DNSSEC for the .nz zone.

Date Task Description Status
22ndMay2011 SRS began accepting DS records Both SRS and EPP interfaces are capable of receiving DS records for the third level domains. Those records won't be published until the corresponding second level domain is signed Complete

18-Nov-11

 Key Generation The keys needed to sign the .nz zone and the second level zones will be generated according to procedure. This will be a once-a-year task. Complete
21-Nov-11 signed .nz zone is published with obscured keys The .nz nameservers will start serving a signed version of the .nz zone, but with the DNSKEY records obfuscated to prevent their use as trust anchors. Complete
Nov-11 Deployment results are analyzed and decision to submit DS record to the root is taken Over the next two weeks, we will be analyzing the behaviour of the system while serving a signed zon

e. This will enable us to determine if it's safe to proceed with the DNSSEC deployment schedule. 		Complete
9-Dec-11 DNSKEY records for .nz are unobscured The obfuscation of DNSKEY records in the .nz zone will be reverted, making their real content visible in the zone. It's not advisable to use them as trust anchors. Complete
9-Dec-11 DS records for .nz are submitted to the root NZRS requests a change to the Root Zone Management to add the DS records for the .nz zone. Complete
16-Dec-11 .nz DS records are published in the root zone If all the checks pass, the Root Zone Management should make the changes requested visible around this date Complete

DNSSEC documents and presentations
application/pdf iconDNSSEC presentation for First Tuesday
 163K

Introductory presentation on the technology of DNSSEC given to First Tuesday in October 2009.
application/pdf iconDNSSEC presentation for ICANN DNSSEC workshop
 113K

Presentation on the issues for registrars and policy makers introduced by DNSSEC, given to the SSAC DNSSEC workshop at ICANN Sydney in June 2009.
application/pdf iconDNSSEC presentation for ISIG
 908K

Detailed presentation on the technology of DNSSEC and the threats it addresses, given to the Wellington branch of NZISIG in April 2010.

Registrars