DNSSEC is a set of security extensions to DNS that add digital signatures to the data that we publish and a mechanism for finding and verifying the keys used to verify these signatures.
The .nz TLD and the public second-levels have been fully signed since 2012, and the SRS has accepted DS records since May 2011.
Each DS record consists of four fields: KeyTag, Algorithm, DigestType and Digest. All DS records must comply with RFC 3658.
A DS record looks like:
25271 8 1 2cfdbd6c3460c2a39cdccb3fa3e545dafca02ada ^^^^^ ^^ ^^ ^^^^^^^^^ KEYTAG ALGORITHM DIGEST_TYPE DIGEST
The registry will apply the following restrictions to the DS records:
The following registration rules will be applied:
DS record support was enabled in May 2011.
DS records can be created by passing a DNSSEC element with DS sub-elements, for example:
<DNSSEC> <DS Algorithm="5" DigestType="1" KeyTag="12892"> <Digest>3FC2FB591B6089F454B90A529C760E3F92F28399</Digest> </DS> <DS Algorithm="5" DigestType="2" KeyTag="12892"> <Digest>85DB78AF90EB23B5B346528482ABA500A445DDB40F5BE2F04911EE7CF7CF2335</Digest> </DS> </DNSSEC>
A DomainDetailsQry transaction can return DNSSEC information by passing a FieldList element with a DNSSEC="1" attribute, for example:
<FieldList NameServers="1" DNSSEC="1" />
We support the DNSSEC EPP extension as per RFC 5910
The Whois Daemon will display DS records in the following format:
ds_rdata_<NN>: <KEYTAG> <ALGORITHM> <DIGEST_TYPE> <DIGEST>
ds_rdata_01: 25271 8 1 2cfdbd6c3460c2a39cdccb3fa3e545dafca02ada
Additionally, a new output field is added: domain_signed, displaying "yes" if DS records are present or "no" in any other case. This field is presented after the domain_delegatedrequest.
domain_name: nzrs.net.nz query_status: 200 Active domain_dateregistered: 2002-07-07T19:19:04+12:00 domain_datebilleduntil: 2010-08-07T19:19:04+12:00 domain_datelastmodified: 2010-07-07T23:39:06+12:00 domain_delegaterequested: yes domain_signed: yes