DNSSEC related policy can be found in the following .nz policy:
The following is a summary of the DNSSEC elements contained within the .nz Policies.
.nz Operations and Procedures Policy
The .nz DNSSEC policy is found in the Operations and Procedures Policy.
When registering a new domain name the registrar will supply the following data:
- Domain name.
- Name server list. (Optional)
- Registrant Name.
- Registrant contact details.
- Registrant Customer ID. (Optional)
- Administrative contact details.
- Technical contact details.
- Billing term.
and, if applicable:
Registrars will be required to maintain the details of the domain names for which they are the registrar. They will be able to amend/update the following fields:
- Name Server List.
- Registrant Name.
- Registrant Contact Details.
- Registrant Customer ID.
- Administrative Contact Details.
- Technical Contact Details.
- Billing Term.
- DS Record List.
In relation to managing DNSSEC signed domain names, Registrants, or their DNS Operator, will be responsible for:
- generating and managing their keys;
- generating the DS Records; and
- determining how often they perform key rollovers.
When a Registrant elects to un-sign a DNSSEC signed name, the Registrar will remove the DS Records for that name as soon as it is practical to do so.
Name Server Updates
Registrants can elect to operate their own domain name system or they can delegate this responsibility to a third party called a ‘DNS Operator’. The DNS Operator could be the Registrar for the domain, a Registrar who does not manage the domain, a hosting provider, an ISP, or some other third party that offers DNS management services.
When a change of DNS Operator for a signed domain name is required and both the current and proposed DNS Operators are Registrars, then the cooperation and participation set out in 9.3 is required.
Domain Names with DNSSEC enabled
Prior to a name server update, the losing DNS Operator must provide the zone information for the domain name when requested to do so, and accept and add the new DNSKEY to the zone for the domain name, re-sign it and continue to serve this until they are notified the change is complete.
The gaining DNS Operator then provides the new DS Record to the losing DNS Operator who provides it to the Registry. The name servers for the domain name can then be updated with the Registry.
Following the name server update, the gaining DNS Operator must delete the old DS Record and DNSKEY provided by the losing DNS Operator.
The losing DNS Operator must remove the domain name from their name servers when requested, but must not remove it before being requested to do so.
The Policy has a Clause (13.6) that notes:
- The DNC will establish and maintain a contact repository of DNS Operators who offer DNSSEC services.