Tag Archives: Domain Name Commissioner

.NZ Benefits From Major Technical Security Deployment of DNSSEC

InternetNZ logo[news release] New Zealanders will be able to better secure their web presence from today, thanks to a major technical security deployment by InternetNZ subsidiaries .NZ Registry Services (NZRS) and the Domain Name Commission (DNCL).

Following more than two years of behind-the-scenes work, the DNSSEC (Domain Name System Security Extensions) protocol has been implemented across New Zealand’s un-moderated second level domain space, including the widely used .co.nz. The next few months will see DNSSEC progressively adopted across all moderated second level domains, including .govt.nz.

DNSSEC is a security protocol that sits atop the Domain Name System (DNS). Developed early in the history of the Internet, the DNS maps IP addresses to human readable domain names. However, the original security built into DNS was weak and hackers have developed ways to ‘spoof’ DNS data and redirect legitimate traffic. DNSSEC combats this vulnerability.

Domain Name Commissioner Debbie Monahan says now that DNSSEC has been deployed across the top level and open second level .nz domain space New Zealand website owners can make use of the protections it offers.

“DNSSEC is akin to a driver knowing that the road sign they are looking at is pointing them in the right direction and not leading them astray,” she says. “Once website owners implement DNSSEC, visitors to their site can be guaranteed they are reaching a legitimate site. This will be highly attractive for banking institutions or other organisations or individuals wanting to transact securely with their customers.”

Monahan describes DNSSEC as a milestone in the security of New Zealand’s Domain Name System. It is one of the key building blocks to securing a web presence and an important tool in mitigating against malicious online activity involving domain names.

NZRS DNS Specialist Sebastian Castro designed and managed the implementation of DNSSEC in .nz. He says enabling DNSSEC is the first step to supporting a new set of security services and extensions such as DANE, that rely on the ability to securely authenticate and verify DNS data.

“We are proud of the open process the Domain Name Commission and .nz Registry Services followed for this project, and recognise the important involvement of New Zealand’s technical community. This approach sets an example to other countries regarding technical policy development and innovation,” he says.

Already, over 50 countries have deployed DNSSEC and adoption is expected to rapidly pick up over the next few years, both in other country code domains and amongst infrastructure and service providers.

More information about DNSSEC in New Zealand is available at www.dnc.org.nz/dnssec. Included is key information on how people can set up DNSSEC on their .nz domain names.

This InternetNZ news release was sourced from:

DNCL Proposes Second Level .NZ Registrations

In what could amount to a major extension to New Zealand’s domain name space, the Domain Name Commission Limited (DNCL) has launched a consultation on whether registrations should be permitted directly under the .nz country code.

At present the existing .nz structure consists of a set of 14 approved ‘second’ level domains, under which all names must be registered. For example, with trademe.co.nz the top-level domain is .nz, the approved ‘second’ level domain is .co and the ‘third’ level domain is trademe.

The DNCL is proposing to extend registrations directly to the second-level. A direct second-level registration would read trademe.nz. This approach is used with all generic top-level domains (such as .com) and in an increasing number of other countries including Canada.

Domain Name Commission Chair Joy Liddicoat says if the proposal is accepted it would significantly alter the make-up of New Zealand’s country code. It would provide a simpler and alternative way for Internet users to represent themselves online, without being limited by the existing set of second level domains.

“In recent years the global domain name market has experienced an unprecedented expansion and it’s timely to ask whether and how .nz needs to adapt. This proposal would be a major structural change and has been raised as part of our regular policy reviews,” she says.

Liddicoat says the proposal would not affect existing .nz domain names, and all existing .nz processes would operate the same.

Before any decision is made the DNCL is interested in hearing the views of as many people and organisations as possible. A Consultation Paper and Frequently Asked Questions has been released, which explain the proposed changes in detail.

The Consultation Paper covers off a range of issues including how competing names would be dealt with and the impact on existing .nz registrations. In addition, a dispute resolution process is sketched out.

If the proposal goes ahead, a Sunrise Period for second level registrations would apply retrospectively from the date of this release to protect existing .nz domain holders.

Submissions close at 12 Noon on Thursday, 27 September 2012 and can be made at:

More information is available at dnc.org.nz/second_level_proposal_c1

This Domain Name Commissioner announcement was sourced from:

To register your .NZ domain name, check out Asia Registry here.

.NZ Consults on DNSSEC Implementation

Domain Name Commissioner logoWith preparations underway for .NZ (New Zealand) to implement DNSSEC, the .NZ Domain Name Commissioner has commenced a public consultation.

More information is available in the news release below.

Consultation on DNSSEC Implementation

.nz is preparing to introduce the Domain Name System Security Extensions (DNSSEC) to strengthen the security and reputation of .nz.

Vulnerabilities exist in the Domain Name System (DNS) that allow miscreants to re-direct, intercept, or modify users’ Internet traffic, each with potentially devastating consequences. DNSSEC has been developed to add to the security features of the DNS, and to mitigate those vulnerabilities.

This document has been prepared as we seek to consult on the issues identified for Registrants and Registrars, and the proposed solutions.  A background paper on DNSSEC can be accessed at dnc.org.nz/content/DNSSEC_Background_Paper.pdf.

DNS Management

Registrants can elect to operate their own DNS or they can delegate this responsibility to a third party called a ‘DNS Operator’, who offers DNS management services.  The DNS Operator could be the Registrar for the domain,  a Registrar who does not manage the domain, a hosting provider, an ISP, or some other third party that offers DNS management services.

Key Management

As noted in the background paper a core component of DNSSEC is the management of cryptographic keys.  Registrants or DNS Operators need to store the public part of a cryptographic key in a DNS Resource Record, called a DNSKEY, in the zonefile for the domain.  To enable the DNSKEY to be authenticated, a DS (Delegation Signer) Record needs to be generated and added to the Registry.

Currently only authorised .nz Registrars are permitted to add and update information that is held in the Registry.

It is proposed that:

  • Registrants or their DNS Operator will be responsible for generating and managing their keys.
  • Registrants or their DNS Operator will be responsible for generating the DS Record.
  • DS Records will be added to the Registry and maintained only via authorised .nz Registrars.
  • The DS Record will be included in the WHOIS record for signed domain names, if applicable.

One issue relating to key management is whether a DNS Operator generates one DNSKEY that is shared across multiple names, or whether they generate a key per name.  While one shared key simplifies management, if that key is compromised then it affects multiple customers.  The security of the private part of the cryptographic keys is critical to maintaining the integrity of those keys, and they should be protected accordingly.

  • It is proposed that DNS Operators set their own standards relating to DNSKEY management, and that these can be used as a point of difference from other DNS Operators.

Another issue under key management relates to the updating of keys which is referred to as rolling the keys, or a key rollover, and how often this should be performed.

  • It is proposed that Registrants or their DNS Operator be responsible for determining how often they perform key rollovers.

Transferring Signed Names

The transfer of a signed name needs to be managed properly to ensure that the transfer does not result in the domain being unreachable for a period of time due to resolution errors.  Resolution errors can occur when DNSSEC-capable resolvers are unable to verify the information that has been sent to them.

Registrars by their very nature, through having a contract with DNCL, can be required to assist in ensuring that the transfer process is successful.

For Registrars it is proposed that:

  • Changes cannot be made to any details in the same transaction as a transfer, including changes to name servers.
  • The following cooperation and participation will be required by Registrars, when involved in the transfer of a signed domain name, where the Registrant wants to modify DNSSEC related information:
    • The gaining Registrar must provide the new DNSKEY to the losing Registrar.
    • The losing Registrar must add the new DNSKEY to their DNS for the domain name and continue to serve this until they are notified that the change is complete.
    • The gaining Registrar provides the DS Record to the losing Registrar, who then provides it to the Registry.
    • Once the new DNSKEY and DS Record are visible to DNS resolvers then any changes to the name servers can be processed.
    • The name is then transferred.
    • The losing Registrar must remove the domain name from their system when requested, but must not remove it before being requested to do so.
    • The gaining Registrar can then delete the old DNSKEY provided by the losing Registrar.
  • Where a forced bulk transfer is required, signed names will be transferred to a DNSSEC-Capable Registrar.

Transferring to a Registrar that is not DNSSEC-capable

Registrars will be able to determine whether they become DNSSEC-capable or not.  A signed name can be transferred in to a Registrar that is not DNSSEC-capable and resolution errors should not occur as long as there are no changes to the record.  However if the Registrant wants to modify any DNSSEC related information, such as performing a key rollover, then they will need to transfer to a DNSSEC-capable Registrar.

  • It is proposed that Registrars who are not DNSSEC-capable be required to check if a name is signed before it is transferred in.  If the name is signed then the Registrar will need to notify the Registrant of the implications of transferring in a signed name, and the Registrant will need to confirm the transfer, before the Registrar can initiate it.

DNS Operators who are not Registrars

If a Registrant has elected to delegate their key management to a DNS Operator, then the participation and cooperation of their DNS Operator will also be required.  However as noted above, while DNCL does have contracts with Registrars, there are no contracts with DNS Operators.  Registrants need to be aware that DNS Operators can not be held to account to the .nz policies, and cannot be required to participate and cooperate during transfers.

  • Question: How can the participation and cooperation of DNS Operators be encouraged?

Un-signing a name

Once a name has been signed and the Registrant decides that they no longer require DNSSEC to protect the name, the name needs to be un-signed.  Un-signing a name may result in the domain being unreachable for a period of time due to resolution errors.

  • It is proposed that when a Registrant elects to un-sign a signed name, the Registrar will be required to remove the DS Records as soon as practical to do so.

As the .nz DNSSEC project progresses resources for Registrants and Registrars, such as a FAQ, will be added to the DNCL website.

Comments on the issues identified in this paper and the proposed solutions, should be  sent by email to policies@dnc.org.nz, by fax to (04) 495 2115, or by mail to P O Box 11881, Wellington.  As submissions are received they will be published on the DNC website here.  Submissions should be received by midday on Monday 11 October 2010.

This news release from the Domain Name Commissioner was sourced from:

Asia Registry logoTo register your .NZ domain name, check out Asia Registry here.

.NZ Launches IDNs Next Week

Domain Name Commissioner logoInternationalised domain names are coming to the .NZ name space next week with domain names using the macronised vowels ā, ē, ī, ō and ū becoming available as of 10.30 on Monday 26 July 2010. Registrations will be accepted on a first-come, first-served basis.

New Zealand Domain Name Commissioner Debbie Monahan says the launch date for general registrations has been timed to coincide with the start of Māori Language Week, which is significant because, for the first time, New Zealand’s indigenous language, Te Reo Māori, can be correctly represented online.

“Thanks to the successful completion of the global Internationalised Domain Name (IDN) initiative the New Zealand Internet is now more culturally representative.

“The addition of macrons to the .NZ domain name space is a step forward for online identity and the Internet in New Zealand and I encourage those interested in securing a macronised name to take note of the opening of general registrations on 26 July.

“This is the culmination of years of hard work at both local and international levels, and I would like to thank New Zealand’s IDN working group and .NZ Registry Services for their valuable contributions.”

Asia Registry logoTo register your .NZ domain name, check out Asia Registry here.

.NZ Domain Names with Macrons Launch on 26 July

Domain Name Commissioner logo.NZ domain names with macrons over the vowels such as ā, ē, Ä«, ō and Å« as used in the written form of the Māori language will become available as of 26 July according to the news release from New Zealand’s Domain Name Commissioner republished below. The launch coincides with Māori Language week 2010.

For more information see below:

.nz Domain Names with macrons; Launching 26 July 2010 [news release]

Registrations of .nz domain names which include macrons over the vowels will begin to be available to everyone on a first-come, first-served basis from 26 July 2010. The launch of this new type of domain name will coincide with Māori Language week 2010, which this year runs from 26 July – 1 August.

The set of characters permitted in .nz Domain Names will be expanded to allow ā, ē, ī, ō and ū to be used.

For the past three months, existing registrants of .nz names have been able to apply for variations of their existing domain names which use the macrons. This application period closed on Tuesday 6 July 2010. Registrants who have applied for a variant of their domain name will have their registration confirmed on 26 July, and should expect to hear from their Registrar about billing for the new variant soon.

After the launch on 26 July 2010, registering a .nz domain name with macrons will take place in the same way as registering any other .nz domain name. You will require the services of a registrar (choose a registrar whose services best meet your needs from all authorised .nz registrars).

What is a macron?

The written form of the Māori language, te reo, uses macrons over vowels to denote an extension of the sound of the vowel. Up until Māori Language week 2010, domain names within the .nz space are not able to include these characters. From then on, it will be possible to have a domain name which accurately reflects one of New Zealand’s official languages, Māori.

The extra characters that can be used are ā, ē, ī, ō and ū.

Asia Registry logoTo register your .NZ domain name, check out Asia Registry here.

.NZ Proposed Registering, Managing & Cancelling Policy Amendments

Domain Name Commissioner logo[news release] New Zealand’s Domain Name Commissioner is seeking comments on proposed changes to the Registering, Managing and Cancelling Domain Names (RMC) policy. The proposed changes all relate to the requirements around name servers.

1. Clause 4.2.5

Currently clause 4.2.5 of the RMC policy reads:

4.2.5 Domain names commencing ‘xn--‘ are not permitted.

It is proposed that this is amended to:

4.2.5 Domain names must conform to a supported encoding scheme.

Currently the encoding scheme for IDN Applications uses ‘xn--‘ however it is possible that future schemes may differ. The change proposed will allow .nz to keep up with technical developments without having to amend general policies.

2. Clauses 4.3 and 4.4

Currently these clauses read:

4.3 No name servers are required to be configured for a domain name to be registered. Note however, that though none are required for registration, domain names with fewer than two name servers will not be delegated in the DNS. These will be recorded as TXT-only entries and a system-generated comment will be assigned next to these entries.

4.4 Where name servers are configured, registrants are also responsible for ensuring that at least two name servers remain configured and operable. Listed domains that are found to have fewer than two operable name servers at any time will not be delegated in the DNS.

It is proposed that they are amended to:

4.3 Name server data is not required for a domain name to be registered. If valid name server data is provided it will be published in the DNS when delegation is requested.

4.4 Name server data will be validated when provided to ensure that it meets minimum technical and operational criteria to ensure the security, stability and resilience of the DNS.

4.5 Name server data may be revalidated at any time and may be removed from the DNS should the technical and operational criteria not be met.

The changes will allow .nz to validate name server data as appropriate and should enable the overall standard of name server information, and therefore DNS operations, to improve. Details of the supported encoding schemes will be included as part of NZRS’ technical policies.

Comments should be sent by email to policies@dnc.org.nz, by fax to (04) 495 2115, or by mail to P O Box 11881, Wellington. Comments on these proposed changes should be by Monday, 28 June 2010.

This NZ Domain Name Commissioner news release was sourced from dnc.org.nz/story/proposed-registering-managing-cancelling-policy-amendments

Asia Registry logoTo register your .NZ domain name, check out Asia Registry here.

.NZ Consultation Paper on Registrant Search Functionality

Domain Name Commissioner logo[news release] Following a previous public consultation regarding additional search functionality for .nz domain names, it has been agreed by the DNCL Board that limited searches by registrant name should be permitted.

Searches by registrant name will be restricted to:

  • Searches by registrants seeking a list of their own .nz domain names ; and
  • Searches that have the sole purpose of supporting a Dispute Resolution Service complaint.

To allow such searches to be introduced, the current WHOIS policy needs to be reviewed. Changes identified to the WHOIS policy include:

Including a “Registrant Info Service” search as a service under the WHOIS policy;

  • Defining the restrictions on the Registrant Info Service search;
  • Inserting a new clause outlining the Registrant Info Service including compliance matters;
  • Inserting a new section detailing the process for the Registrant Info Service; and
  • Outlining the information required on the forms to apply for the relevant service.

A marked-up copy of the current WHOIS Policy showing the proposed changes to incorporate a registrant search is available at www.dnc.org.nz/content/Proposed_WHOIS_policy_amendments.pdf .

Comments on the proposed changes to the WHOIS Policy, or on any aspect of the policy, should be sent by email to policies@dnc.org.nz, by fax to (04) 495 2115, or by mail to P O Box 11881, Wellington. As submissions are received they will be published on the DNC website at dnc.org.nz/registrant-search-functionality . Submissions should be received by midday on Monday 6 September 2010.

This news release was sourced from dnc.org.nz/story/consultation-paper-registrant-search-functionality

Asia Registry logoTo register your .NZ domain name, check out Asia Registry here.

Limited IDNs to be Introduced in .NZ – Sunrise Launch

Domain Name Commissioner logoA Sunrise Period for the registration of .NZ domain names which include vowels with macrons (ā, ē, ī, ō and ū) has opened the .NZ Domain Name Commissioner has announced.

The Sunrise Period runs until 6 July and allows any current .NZ domain name registrant to apply for any or all versions of their domain name with macrons.

The domain names with macrons do not need to be linguistically correct – any existing domain name which includes vowels is eligible for registration including macrons. There is no restriction on the number of variants that can be registered, or on the total number of domain names that a registrant can hold.

To apply for a domain name with macrons which matches an existing .NZ name, check the information about these names at www.dnc.org.nz/idns.

Information for registrars

For .NZ authorised registrars, they need to be aware the sunrise registration period has launched. All registrars must be able to process registrations for IDNs if requested to after the launch date of 26 July.

During the Sunrise Period the DNC office will collect and collate applications from existing .NZ domain name registrants for domain names which match existing registrations but include macrons. At the conclusion of the Sunrise Period, each registrar will be provided with a list of registrants who will be eligible for IDNs on the launch date.

Registrars will be able to contact those registrants, if desired, prior to the actual registration of the new domain names. Initial registrations will be for a one-month term.

Registrars who automate their renewal systems should be aware of this initial one-month term. Registrars will need to correspond with their customers to ensure that the names are renewed appropriately. Billing for the new domain names is the responsibility of the registrar involved.

At the wholesale level, the names attract the same fee as all other .NZ domain names.

Asia Registry logoTo register your .NZ domain name, check out Asia Registry here.