DNSSEC Policy Amendment Notification

This is to advise of amendments to four .nz policies to encompass the implementation of DNSSEC into the .nz domain name space.  

DNSSEC has been developed to provide authentication and integrity to the Domain Name System (DNS).  The introduction of DNSSEC to .nz will improve the security posture of New Zealand by providing Registrants with an effective tool to combat attacks such as website phishing. For more information on DNSSEC please refer to the DNSSEC Background Paper

The amended policies will take effect from Monday 2 May 2011.


1. Privacy Policy

The current clause 4.2 of the Privacy Policy will be amended to reflect the addition of the DS Record List to the WHOIS:

4.2       Following is a list of all the personal information that will be used by NZRS to facilitate a WHOIS search:

  • Domain Name.
  • Designated Registrar.
  • Name Server List.
  • Registrant Contact Details.
  • Administrative Contact Details.
  • Technical Contact Details.
  • Registration status.
  • Date registered.
  • Date registered/billed until.
  • Domain Signed.
  • DS Record List.


2. Registering, Managing, and Cancelling Domain Names Policy

The current clauses 7.1 and 8.1 of the Registering, Managing, and Cancelling Domain Names Policy (RMC) will be updated.  Clause 7.1 will include the DS Record List which will be able to be stored in the registry, and will also include the Registrant Name and Customer ID fields which are currently listed in clause 8.1.  Clause 8.1 will include the DS Record List:

7.1       When registering a new domain name the registrar will supply the following data:

  • Domain name.
  • Name server list. (Optional)
  • Registrant Name.
  • Registrant contact details.
  • Registrant Customer ID. (Optional)
  • Administrative contact details.
  • Technical contact details.
  • Billing term.

  and, if applicable:

  • DS Record List.

8.1       Registrars will be required to maintain the details of the domain names for which they are the registrar.  They will be able to amend/update the following fields:

  • Name Server List.
  • Registrant Name.
  • Registrant Contact Details.
  • Registrant Customer ID.
  • Administrative Contact Details.
  • Technical Contact Details.
  • Billing Term.
  • DS Record List.


The following two new clauses 8.14 and 8.15 will be added to the RMC to address additional responsibilities associated with DNSSEC:

8.14     In relation to managing DNSSEC signed domain names, Registrants, or their DNS Operator, will be responsible for:

  • generating and managing their keys;
  • generating the DS Records; and
  • determining how often they perform key rollovers.

8.15     When a Registrant elects to un-sign a DNSSEC signed name, the Registrar will remove the DS Records for that name as soon as it is practical to do so.


The following new section will be added to the RMC, as section 9. Name Server Updates, to address how Registrars are to handle name server updates, for signed domain names they manage. The existing sections 9 through to 15 will be renumbered 10 through to 16 respectively:

9.         Name Server Updates

9.1  Registrants can elect to operate their own domain name system or they can delegate this responsibility to a third party called a ‘DNS Operator’.  The DNS Operator could be the Registrar for the domain, a Registrar who does not manage the domain, a hosting provider, an ISP, or some other third party that offers DNS management services.

9.2  When a change of DNS Operator for a signed domain name is required and both the current and proposed DNS Operators are Registrars, then the cooperation and participation set out in 9.3 is required.

9.3  Domain Names with DNSSEC enabled

9.3.1  Prior to a name server update, the losing DNS Operator must provide the zone information for the domain name when requested to do so, and accept and add the new DNSKEY to the zone for the domain name, re-sign it and continue to serve this until they are notified the change is complete.

9.3.2  The gaining DNS Operator then provides the new DS Record to the losing DNS Operator who provides it to the Registry.  The name servers for the domain name can then be updated with the Registry.

9.3.3  Following the name server update, the gaining DNS Operator must delete the old DS Record and DNSKEY provided by the losing DNS Operator.

9.3.4  The losing DNS Operator must remove the domain name from their name servers when requested, but must not remove it before being requested to do so.


3. Roles and Responsibilities Policy

The following new clause 7.5 will be added to the Roles and Responsibilities Policy to highlight the new DNS Operators contact repository the Domain Name Commission will establish and maintain:

7.5  The DNC will establish and maintain a contact repository of DNS Operators who offer DNSSEC services.


4. WHOIS Policy

The current clause 4.2 of the WHOIS Policy will be amended to include the additional fields Domain Signed and DS Records, that will be added to the WHOIS record:

4.2  The following details will be available in response to a WHOIS query:

  • Domain Name;
  • Registration status;
  • Date registered;
  • Date registered/billed until;
  • Date last modified;
  • Include in DNS;
  • Registrar of Record (including contact details);
  • Registrant Contact Details;
  • Administrative Contact Details;
  • Technical Contact Details;
  • Name Servers;
  • Domain Signed;

  and, if applicable:

  • DS Records;
  • Date cancelled;
  • Date locked.


Previews of the amended policies that come into effect on 2 May can be found here:

Privacy Policy

Registering, Managing, and Cancelling Policy

Roles and Responsibilities

WHOIS Policy

DNC news