InternetNZ will begin a DNSSEC Zone Signing Key rollover in our current
standby chain.
This should not affect the active chain used in DNS resolution for .nz.
The status and scheduling will be posted to status.internetnz.nz.
This will consist of two maintenance windows, in each window we will pause
zone distribution to make changes, perform validation, and resume zone
distribution for the following zones:
nz, ac.nz, co.nz, cri.nz, geek.nz, gen.nz, govt.nz, health.nz, iwi.nz,
kiwi.nz, maori.nz, mil.nz, net.nz, org.nz, parliament.nz, and school.nz
The first change window is on the following link:
https://status.internetnz.nz/incidents/6yjnwkgnnkvf
For questions or issues please contact registry(a)internetnz.net.nz, for
updates please subscribe to the IRS Production > Zone Publish component of
status.internetnz.nz
--
Ngā mihi
Felipe Agnelli Barbosa
DNS Specialist
InternetNZ | Ipurangi Aotearoa
We are the home of .nz and we work for an Internet that benefits all of
Aotearoa.
www.internetnz.nz
GPG: 95C1 8BDC EFA7 9CAC 303D 003E A058 2449 D152 8580
Hi Team,
Some know me, some don’t. I’m asking as someone who has been around BGP security/resiliency for a while. We have a risk in the industry that we can all prevent - by deploying the BGP session security tools whenever we configure BGP sessions.
Our Problem: We have ~274,000 BGP sessions open to anyone in the world who wishes to initiate a low-level DDoS attack to disrupt the BGP session.
New Zealand currently has ~470 open BGP sessions.
The Risk: A BGP Session knockdown risk model exists that can target an organization, an ISP, a whole country, or the entire Internet.
Is this a serious risk? About a year ago, I conducted a Shadowserver Ops review with one of the major US broadband companies. I shared with my peers working there that they had ~60 BGP IPv6 sessions open to the risk (no iACLs, no ACL on the device, no control plane protection, no GTSM, etc). They have been part of tabletop exercises where “BGP Flap Storm” was used as one of the plays. Once informed, they resolved the issue within 40 minutes through an emergency ACL deployment.
The ask:
Deploy the basics of BGP Session Security on all your existing BGP Sessions.
Talk to your peers on the other side of the BGP session to fix their BGP Session security (remember, BGP session re-establishment could happen from either side).
Update your processes, procedures, and SCRIPTs to include BGP Session security (one of my theories is that people are using scripts to deploy that are not complete).
If you need a complete breakdown of which routers on your network have their BGP session open, take the simple route and sign up for the Daily Shadowserver reports on your network. They are free for you. I’ve locked down many ISPs’ security risks just by using the Shadowserver reports.
Just go to this link to subscribe: https://www.shadowserver.org/what-we-do/network-reporting/get-reports/
Sincerely,
Barry Greene
Old Security Geek
WhatsApp/Signal +1 408 218 4669.
PS - I’m asking this just in New Zealand right now because I live here (now) and wondering if we could knock out this risk …. Or is the potential of a BGP Flap Storm knocking out Telecom something we have to just live with?
Resources to Review
Shadowserver Dashboard Global
https://dashboard.shadowserver.org/statistics/combined/time-series/?date_ra…
Shodan Global BGP Dashboard
https://www.shodan.io/search/report?query=product%3Abgp+port%3A%22179%22&ti…
Advisory to FIRST Community - BGP Port 179 DDoS Risk
Or How to cause unprecedented global chaos this week.
https://docs.google.com/document/d/1oDD5-qlu0rlHUtjNZHKrfdug99ynSXHc2v
dHPktTFH4/edit?usp=sharing
Protecting BGP Sessions - Step-by-Step Guide to Prevent an Easy DDoS
https://docs.google.com/document/d/13GoLbWmeypFerOJCh5Dp4-KcMu4BArXJP33PfYJ…
Shadowserver Report: HIGH: Open BGP Service Report
https://www.shadowserver.org/what-we-do/network-reporting/open-bgp-service-…
Shadowserver Report: MEDIUM: Accessible BGP Service Report
https://www.shadowserver.org/what-we-do/network-reporting/accessible-bgp-se…
InternetNZ will begin a DNSSEC Zone Signing Key rollover in our current
standby chain.
This should not affect the active chain used in DNS resolution for .nz.
The status and scheduling will be posted to status.internetnz.nz.
This will consist of two maintenance windows, in each window we will pause
zone distribution to make changes, perform validation, and resume zone
distribution for the following zones:
nz, ac.nz, co.nz, cri.nz, geek.nz, gen.nz, govt.nz, health.nz, iwi.nz,
kiwi.nz, maori.nz, mil.nz, net.nz, org.nz, parliament.nz, and school.nz
The first change window is on the following link:
https://status.internetnz.nz/incidents/gb1hdqdfh9jn
For questions or issues please contact registry(a)internetnz.net.nz, for
updates please subscribe to the IRS Production > Zone Publish component of
status.internetnz.nz
--
Ngā mihi
Felipe Agnelli Barbosa
DNS Specialist
InternetNZ | Ipurangi Aotearoa
We are the home of .nz and we work for an Internet that benefits all of
Aotearoa.
www.internetnz.nz
GPG: 95C1 8BDC EFA7 9CAC 303D 003E A058 2449 D152 8580
Here is the official call for presentations for next year's conference.
This year we will be accepting in batches on an ongoing basis. This
call will probably be repeated in the New Year to help get any extra
presentations we need.
Richard
**
*NZNOG 2026 Call for Presentations*
*
The NZNOG Trustees invite presentation proposals for the 23rd NZNOG
conference, to be hosted at the Te Pae Christchurch Convention Centre
from 23–27 March 2026.
Conference objective:
The NZNOG conference, workshops and tutorials are an opportunity for
individuals and organisations involved in Internet operations to meet
and share the latest in Internet operations, technologies, practices and
receive high quality training.
The event is unique in New Zealand and attracts technical, skilled
individuals with a genuine interest in Internet operations and
Internetworking technologies.
Submissions on any aspect of networking are welcome however we are
particularly interested in presentations that involve real world
operational experience, particularly in New Zealand.
Conference registration for accepted presenters will be free.
Submit a proposal:
Presenters are invited to submit presentation proposals. Talks will be
reviewed and accepted (or rejected) as they are received. Often we
will have a discussion with a potential presenter to refine the proposed
content and ensure it is appropriate for our audience. We are also
happy to have a chat about your idea before you make a proposal.
Please provide your talk title, a short presenter bio and a description
of the proposed presentation. Description should be no more than one
page long and provide a summary of your networking related subject matter.
Normally presentations are 30 min long, are video streamed live and
slide decks are posted to the NZNOG website. If you want a different
duration or other arrangements please let us know at submission time.
To submit your proposal please e-mail: talks(a)nznog.org
<mailto:talks@nznog.org>
www.nznog.org
*
