DNSSEC

DNSSEC is a set of security extensions to DNS that add digital signatures to the data that we publish and a mechanism for finding and verifying the keys used to verify these signatures.  We have been extensively involved in the development of DNSSEC standards and tools and the signing of the root nameservers, and have now turned our attention to signing .nz and our second level zones. 

Detailed below are the dates for deployment of DNSSEC for .nz

Moderated second level zones under .nz

Date (2012) Event Zones affected Description Status
20-Aug Publish signed zone with obscured keys cri.nz health.nz iwi.nz The .nz nameservers will start serving a signed version of the cri.nz, health.nz, and iwi.nz zones, but with the DNSKEY records obfuscated to prevent their use as trust anchors. Complete
27-Aug DNSKEY records are unobscured cri.nz health.nz iwi.nz The obfuscation of DNSKEY records in the cri.nz, health.nz, and iwi.nz zones will be reverted, making their real content visible in the zone. Complete
27-Aug DS records included in .nz zone cri.nz health.nz iwi.nz Two hours after removing the DNSKEY obfuscation, the DS records for cri.nz, health.nz, and iwi.nz will be included in the .nz zone. From that moment, any DS records in the registry for domains under these SLD will be included in their respective zones, enabling validation. Complete
10-Sep Publish signed zone with obscured keys govt.nz
mil.nz
parliament.nz
The .nz nameservers will start serving a signed version of the govt.nz, mil.nz, and parliament.nz zones, but with the DNSKEY records obfuscated to prevent their use as trust anchors. Complete
17-Sep DNSKEY records are unobscured govt.nz
mil.nz
parliament.nz
The obfuscation of DNSKEY records in the govt.nz, mil.nz, and parliament.nz zones will be reverted, making their real content visible in the zone. Complete
17-Sep DS records included in .nz zone govt.nz
mil.nz
parliament.nz
Two hours after removing the DNSKEY obfuscation, the DS records for govt.nz, mil.nz, and parliament.nz will be included in the .nz zone. From that moment, any DS records in the registry for domains under these SLD will be included in their respective zones, enabling validation. Complete

Non-moderated second level zones under .nz

Date (2012) Event Zones affected Description Status
28-May Publish signed zone with obscured keys geek.nz The .nz nameservers will start serving a signed version of the geek.nz zone, but with the DNSKEY records obfuscated to prevent their use as trust anchors. Complete
11-Jun DNSKEY records are unobscured geek.nz The obfuscation of DNSKEY records in the geek.nz zone will be reverted, making their real content visible in the zone. 

Complete

11-Jun DS records included in .nz zone geek.nz Two hours after removing the DNSKEY obfuscation, the DS records for geek.nz will be included in the .nz zone. From that moment, any DS records in the registry for zones under geek.nz will be included as well, enabling validation. Complete
18-Jun Publish signed zones with obscured keys ac.nz
gen.nz
maori.nz
school.nz
The .nz nameservers will start serving a signed version of the ac.nz, gen.nz, maori.nz, and school.nz zones, but with the DNSKEY records obfuscated to prevent their use as trust anchors. Complete
25-Jun DNSKEY records are unobscured ac.nz
gen.nz
maori.nz
school.nz
The obfuscation of DNSKEY records in the ac.nz, gen.nz, maori.nz, and school.nz zones will be reverted, making their real content visible in the zone. Complete
25-Jun DS records included in .nz zone ac.nz
gen.nz
maori.nz
school.nz
Two hours after removing the DNSKEY obfuscation, the DS records for ac.nz, gen.nz, maori.nz, and school.nz will be included in the .nz zone. From that moment, any DS records in the registry for domains under these SLD will be included in their respective zones, enabling validation. Complete
9-Jul Publish signed zones with obscured keys net.nz
org.nz
The .nz nameservers will start serving a signed version of the net.nz, and org.nz zones, but with the DNSKEY records obfuscated to prevent their use as trust anchors. Complete
16-Jul DNSKEY records are unobscured net.nz
org.nz
The obfuscation of DNSKEY records in the net.nz, and org.nz zones will be reverted, making their real content visible in the zone. Complete
16-Jul DS records included in .nz zone net.nz
org.nz
Two hours after removing the DNSKEY obfuscation, the DS records for net.nz, and org.nz will be included in the .nz zone. From that moment, any DS records in the registry for domains under these SLD will be included in their respective zones, enabling validation. Complete
30-Jul Publish signed zone with obscured keys co.nz The .nz nameservers will start serving a signed version of the co.nz zone, but with the DNSKEY records obfuscated to prevent their use as trust anchors. Complete
06-Aug DNSKEY records are unobscured co.nz The obfuscation of DNSKEY records in the co.nz zone will be reverted, making their real content visible in the zone. Complete
07-Aug DS records included in .nz zone co.nz Two hours after removing the DNSKEY obfuscation, the DS records for co.nz will be included in the .nz zone. From that moment, any DS records in the registry for domains under co.nz will be included, enabling validation.  

.nz Zone

Date Task Description Status
22-May-11 SRS began accepting DS records Both SRS and EPP interfaces are capable of receiving DS records for the third level domains. Those records won't be published until the corresponding second level domain is signed Complete

18-Nov-11

Key Generation The keys needed to sign the .nz zone and the second level zones will be generated according to procedure. This will be a once-a-year task. Complete
21-Nov-11 signed .nz zone is published with obscured keys The .nz nameservers will start serving a signed version of the .nz zone, but with the DNSKEY records obfuscated to prevent their use as trust anchors. Complete
Nov-11 Deployment results are analyzed and decision to submit DS record to the root is taken Over the next two weeks, we will be analyzing the behaviour of the system while serving a signed zone. This will enable us to determine if it's safe to proceed with the DNSSEC deployment schedule. Complete
9-Dec-11 DNSKEY records for .nz are unobscured The obfuscation of DNSKEY records in the .nz zone will be reverted, making their real content visible in the zone. It's not advisable to use them as trust anchors. Complete
9-Dec-11 DS records for .nz are submitted to the root NZRS requests a change to the Root Zone Management to add the DS records for the .nz zone. Complete
16-Dec-11 .nz DS records are published in the root zone If all the checks pass, the Root Zone Management should make the changes requested visible around this date Complete

DNSSEC documents and presentations

File Date Details
31/1/14

Lightning talk presented during NZNOG'14 in Nelson, about setting up a DNSSEC validating resolver for the conference using a Raspberry Pi.

14/11/13

Registrar Conference 2013 - DNSSEC. Presented by Sebastian Castro.

10/4/13

Update on the state of DNSSEC in .nz.  Presented to the DNSSEC workshop at the ICANN meeting in Beijing April 2013.

21/3/12

Presentation submitted to the DNS-OARC Workshop London 2012. This presentation documents the process followed to fix the .nz DNSKEY encoding during the publication of a signed .nz zone. Due to a software bug, the encoding was incorrect, and even thorough testing didn't detect it.

17/3/11

Presentation on the potential innovative uses of DNS that could result from using DNSSEC.  Given to the DNSSEC Workshop at ICANN San Francisco in March 2011.

28/1/11

Another presentation on the potential for storing X.509 certificates in DNS using DNSSEC to secure them.  Given to NZNOG in January 2011.

27/1/11

DNSSEC implementation for .nz progress report. Lightning talk presented during NZNOG'11 in Wellington.

28/6/10

Presentation given remotely to the APTLD meeting in Colombo on the potential from storing X.509 certificates in DNSSEC.  Given in June 2010.

29/4/10

Detailed presentation on the technology of DNSSEC and the threats it addresses, given to the Wellington branch of NZISIG in April 2010.

6/10/09

Introductory presentation on the technology of DNSSEC given to First Tuesday in October 2009.

24/6/09

Presentation on the issues for registrars and policy makers introduced by DNSSEC, given to the SSAC DNSSEC workshop at ICANN Sydney in June 2009.