DNSSEC support in .nz
=====================

DNSSEC is a set of security extensions to DNS that add digital signatures to the data that we publish and a mechanism for finding and verifying the keys used to verify these signatures.

The .nz TLD and the public second-levels have been fully signed since 2012, and the SRS has accepted DS records since May 2011.


DS Records in .nz
-----------------

Each DS record consists of four fields: KeyTag, Algorithm, DigestType and Digest. All DS records must comply with RFC 3658.

A DS record looks like::

    25271   8          1            2cfdbd6c3460c2a39cdccb3fa3e545dafca02ada
    ^^^^^   ^^         ^^           ^^^^^^^^^
    KEYTAG  ALGORITHM  DIGEST_TYPE  DIGEST


The registry will apply the following restrictions to the DS records:

* The accepted algorithms are: 5 (RSA/SHA-1), 6 (DSA-NSEC3-SHA1), 7 (RSASHA1-NSEC3-SHA1), 8 (RSA/SHA-256), 10 (RSA/SHA-512), and 13 (ECDSA Curve P-256 with SHA-256)
* The accepted digest types are: 1 (SHA-1) and 2 (SHA-256)

The following registration rules will be applied:

* Each domain can hold up to 10 DS records
* DS records will only be accepted if name server (NS) records are present for the domain
* DS records will be included in the zone only if the domain is delegated
* If a transaction attempts to delete NS records for a domain with DS records, it will be rejected. DS records must be deleted before NS records. It is valid to delete both NS and DS records in the same transaction.


DNSSEC via SRS
--------------

DS record support was enabled in May 2011.

* Domains can be created with DS records using a :ref:`DomainCreate` request
* DS records can be added and removed using :ref:`DomainUpdate` requests
* DS records can be queried using :ref:`DomainDetailsQry` requests

DS records can be created by passing a DNSSEC element with DS sub-elements, for example:

.. code-block:: xml

    <DNSSEC>
      <DS Algorithm="5" DigestType="1" KeyTag="12892">
        <Digest>3FC2FB591B6089F454B90A529C760E3F92F28399</Digest>
      </DS>
      <DS Algorithm="5" DigestType="2" KeyTag="12892">
        <Digest>85DB78AF90EB23B5B346528482ABA500A445DDB40F5BE2F04911EE7CF7CF2335</Digest>
      </DS>
    </DNSSEC>

A :ref:`DomainDetailsQry` transaction can return DNSSEC information by passing a FieldList element with a DNSSEC="1" attribute, for example:

.. code-block:: xml

    <FieldList NameServers="1" DNSSEC="1" />


DNSSEC via EPP
--------------

We support the DNSSEC EPP extension as per `RFC 5910 <https://tools.ietf.org/html/rfc5910>`_

* Domains can be created with DS records using a :ref:`domain:create <eppdomaincreate>` request
* DS records can be added and removed using :ref:`domain:update <eppdomainupdate>` requests
* DS record data can be queried using a :ref:`domain:info <eppdomaininfo>` request

Details on our algorithms and digests can be found on the :ref:`DNSSEC - DS records <eppdsrecords>` section of the :ref:`.nz Specific EPP rules <eppdotnzrules>` page.


DNSSEC data via Whois Protocol
------------------------------

The Whois Daemon will display DS records in the following format::

    ds_rdata_<NN>: <KEYTAG> <ALGORITHM> <DIGEST_TYPE> <DIGEST>

For example::

    ds_rdata_01: 25271  8  1  2cfdbd6c3460c2a39cdccb3fa3e545dafca02ada

Additionally, a new output field is added: domain_signed, displaying
"yes" if DS records are present or "no" in any other case. This field
is presented after the domain_delegatedrequest.

For example::

    domain_name: internetnz.net.nz
    query_status: 200 Active
    domain_dateregistered: 2002-07-07T19:19:04+12:00
    domain_datebilleduntil: 2010-08-07T19:19:04+12:00
    domain_datelastmodified: 2010-07-07T23:39:06+12:00
    domain_delegaterequested: yes
    domain_signed: yes