Consultation on DNSSEC Policy

Consultation period closed at midday 6 December 2010 DNSSEC Policy Amendments Consultation Paper

.nz is preparing to introduce the Domain Name System Security Extensions (DNSSEC) to strengthen the security and reputation of .nz. 

This consultation is the second on the .nz DNSSEC implementation.  The first consultation identified issues for Registrants and Registrars.  That paper also proposed policy principles that would ensure protection for Registrants in maintaining the Chain of Trust throughout the management of any DNSSEC signed domain names.  Submissions received during that public consultation were generally supportive of the proposed approaches.  Details of that work are available here:

This consultation follows on from the first one and details below the proposed amendments to the .nz policies to allow for the implementation of DNSSEC in line with the approach detailed in the initial consultation.  Comments are now sought on the proposed amendments.

Proposed .nz policy changes

It is proposed the following clauses are added to the following .nz policies:

Registering, Managing and Cancelling Domain Names


  • In relation to managing signed domain names, Registrants, or their DNS Operator, will be responsible for:

    • generating and managing their keys;
    • generating the DS Record; and
    • determining how often they perform key rollovers.
  • When a Registrant elects to un-sign a signed name, the Registrar will remove the DS Records for that name as soon as it is practical to do so.

Transfer to Another Registrar


DNSSEC Transfers

In relation to DNSSEC the following apply:

  • Registrars that are not DNSSEC-capable must check if a name is signed before it is transferred in.  If the name is signed then the registrar must notify the registrant of the implications of transferring in a signed name, and the registrant must confirm the transfer, before the registrar can initiate it.

  • The following cooperation and participation will be required by registrars, when involved in the transfer of a signed domain name, where the registrant wants to modify DNSSEC related information:

    • The gaining registrar must provide the new DNSKEY to the losing registrar.

    • The losing registrar must add the new DNSKEY to their DNS for the domain name and continue to serve this until they are notified that the change is complete.

    • The gaining registrar provides the DS Record to the losing registrar, who then provides it to the registry.

    • Once the new DNSKEY and DS Record are visible to DNS resolvers then any changes to the name servers can be processed.

    • The name is then transferred.

    • The losing registrar must remove the domain name from their system when requested, but must not remove it before being requested to do so.

    • The gaining registrar can then delete the old DNSKEY provided by the losing registrar.

  • Where a forced bulk transfer is required, signed names will be transferred to a DNSSEC-Capable Registrar.

Roles and Responsibilities – Domain Name Commission Responsibilities


  • The DNC will establish and maintain a contact repository of DNS Operators who offer DNSSEC services.

Addition of ‘DS Record’ to the list of specified fields in the following policies 

 Comments on the proposed policy amendments, should be  sent by email to [email protected], by fax to (04) 495 2115, or by mail to P O Box 11881, Wellington.  As submissions are received they will be published on the DNC website at  Submissions should be received by midday on 6 December 2010.

As the .nz DNSSEC project progresses resources for Registrants and Registrars, such as FAQ’s, will be added to the DNCL website.


Glen Eustace - .html | .pdf

Department of Internal Affairs - .pdf

DNC news