Version 1.2 of the DNSSEC Practice Statement is available at

The changes between Version 1.1 and Version 1.2 are posted at and also includes the
previous versions in PDF format.

The main changes in this new version are as follows:

1. Multi-Person mode for the Keystore activities
Due to limitations in the HSM device that we are using, we have had to reduce the minimum number of Keystore Security officers required for key related activities from three to two.
The maximum number of Keystore Security officers has also been reduced from nine to five. So for the backup and restoration of key material we will require three people (two Keystore Security officers and one System Administrator).

2. Site Controls
Posters to this list highlighted some issues regarding rack security and access controls. We agree that this area needs to be improved and we will review and make changes to this area over the next few months.

3. Trusted Roles and Trusted Individuals
We have reworked this section and clarified the roles of the Keystore Security Officers, System Administrators, Device Security Officers and Witness and specified the numbers required. We have also introduced a new role: Key Generation Administrator.

4. Background Checks
We have made it clear that the checks apply to anyone with a trusted role and NZRS would then decide on a case by case basis if the individual considered for a trusted role is suitable or not.

We hope that with this new version we have answered your concerns and questions that you have with our DPS document.

If anybody has any outstanding issues or concerns with the DPS please let us know as soon as possible as we are getting close to the stage where we are ready to begin our DNSSEC implementation.

If there are any issues, we suggest that the best way to address them would be to hold a meeting at NZRS to discuss them and to have the meeting sometime over the next two weeks. If anybody would like to meet with us and discuss the DPS, then please let us know by Wednesday 17th August.