DNSSEC support in .nz

DNSSEC is a set of security extensions to DNS that add digital signatures to the data that we publish and a mechanism for finding and verifying the keys used to verify these signatures.

The .nz TLD and the public second-levels have been fully signed since 2012, and the SRS has accepted DS records since May 2011.

DS Records in .nz

Each DS record consists of four fields: KeyTag, Algorithm, DigestType and Digest. All DS records must comply with RFC 3658.

A DS record looks like:

25271   8          1            2cfdbd6c3460c2a39cdccb3fa3e545dafca02ada
^^^^^   ^^         ^^           ^^^^^^^^^

The registry will apply the following restrictions to the DS records:

  • The accepted algorithms are: 5 (RSA/SHA-1), 6 (DSA-NSEC3-SHA1), 7 (RSASHA1-NSEC3-SHA1), 8 (RSA/SHA-256), 10 (RSA/SHA-512), and 13 (ECDSA Curve P-256 with SHA-256)
  • The accepted digest types are: 1 (SHA-1) and 2 (SHA-256)

The following registration rules will be applied:

  • Each domain can hold up to 10 DS records
  • DS records will only be accepted if name server (NS) records are present for the domain
  • DS records will be included in the zone only if the domain is delegated
  • If a transaction attempts to delete NS records for a domain with DS records, it will be rejected. DS records must be deleted before NS records. It is valid to delete both NS and DS records in the same transaction.


DS record support was enabled in May 2011.

DS records can be created by passing a DNSSEC element with DS sub-elements, for example:

  <DS Algorithm="5" DigestType="1" KeyTag="12892">
  <DS Algorithm="5" DigestType="2" KeyTag="12892">

A DomainDetailsQry transaction can return DNSSEC information by passing a FieldList element with a DNSSEC="1" attribute, for example:

<FieldList NameServers="1" DNSSEC="1" />


We support the DNSSEC EPP extension as per RFC 5910

  • Domains can be created with DS records using a domain:create request
  • DS records can be added and removed using domain:update requests
  • DS record data can be queried using a domain:info request

Details on our algorithms and digests can be found on the DNSSEC - DS records section of the .nz Specific EPP rules page.

DNSSEC data via Whois Protocol

The Whois Daemon will display DS records in the following format:


For example:

ds_rdata_01: 25271  8  1  2cfdbd6c3460c2a39cdccb3fa3e545dafca02ada

Additionally, a new output field is added: domain_signed, displaying "yes" if DS records are present or "no" in any other case. This field is presented after the domain_delegatedrequest.

For example:

domain_name: nzrs.net.nz
query_status: 200 Active
domain_dateregistered: 2002-07-07T19:19:04+12:00
domain_datebilleduntil: 2010-08-07T19:19:04+12:00
domain_datelastmodified: 2010-07-07T23:39:06+12:00
domain_delegaterequested: yes
domain_signed: yes