DNSSEC support in .nz¶
DNSSEC is a set of security extensions to DNS that add digital signatures to the data that we publish and a mechanism for finding and verifying the keys used to verify these signatures.
The .nz TLD and the public second-levels have been fully signed since 2012, and the SRS has accepted DS records since May 2011.
DS Records in .nz¶
Each DS record consists of four fields: KeyTag, Algorithm, DigestType and Digest. All DS records must comply with RFC 3658.
A DS record looks like:
25271 8 1 2cfdbd6c3460c2a39cdccb3fa3e545dafca02ada ^^^^^ ^^ ^^ ^^^^^^^^^ KEYTAG ALGORITHM DIGEST_TYPE DIGEST
The registry will apply the following restrictions to the DS records:
- The accepted algorithms are: 5 (RSA/SHA-1), 6 (DSA-NSEC3-SHA1), 7 (RSASHA1-NSEC3-SHA1), 8 (RSA/SHA-256), 10 (RSA/SHA-512), and 13 (ECDSA Curve P-256 with SHA-256)
- The accepted digest types are: 1 (SHA-1) and 2 (SHA-256)
The following registration rules will be applied:
- Each domain can hold up to 10 DS records
- DS records will only be accepted if name server (NS) records are present for the domain
- DS records will be included in the zone only if the domain is delegated
- If a transaction attempts to delete NS records for a domain with DS records, it will be rejected. DS records must be deleted before NS records. It is valid to delete both NS and DS records in the same transaction.
DNSSEC via SRS¶
DS record support was enabled in May 2011.
- Domains can be created with DS records using a DomainCreate request
- DS records can be added and removed using DomainUpdate requests
- DS records can be queried using DomainDetailsQry requests
DS records can be created by passing a DNSSEC element with DS sub-elements, for example:
<DNSSEC> <DS Algorithm="5" DigestType="1" KeyTag="12892"> <Digest>3FC2FB591B6089F454B90A529C760E3F92F28399</Digest> </DS> <DS Algorithm="5" DigestType="2" KeyTag="12892"> <Digest>85DB78AF90EB23B5B346528482ABA500A445DDB40F5BE2F04911EE7CF7CF2335</Digest> </DS> </DNSSEC>
A DomainDetailsQry transaction can return DNSSEC information by passing a FieldList element with a DNSSEC=”1” attribute, for example:
<FieldList NameServers="1" DNSSEC="1" />
DNSSEC via EPP¶
We support the DNSSEC EPP extension as per RFC 5910
- Domains can be created with DS records using a domain:create request
- DS records can be added and removed using domain:update requests
- DS record data can be queried using a domain:info request
DNSSEC data via Whois Protocol¶
The Whois Daemon will display DS records in the following format:
ds_rdata_<NN>: <KEYTAG> <ALGORITHM> <DIGEST_TYPE> <DIGEST>
ds_rdata_01: 25271 8 1 2cfdbd6c3460c2a39cdccb3fa3e545dafca02ada
Additionally, a new output field is added: domain_signed, displaying “yes” if DS records are present or “no” in any other case. This field is presented after the domain_delegatedrequest.
domain_name: internetnz.net.nz query_status: 200 Active domain_dateregistered: 2002-07-07T19:19:04+12:00 domain_datebilleduntil: 2010-08-07T19:19:04+12:00 domain_datelastmodified: 2010-07-07T23:39:06+12:00 domain_delegaterequested: yes domain_signed: yes