Continuing with the DNSSEC deployment scheduled detailed in http://nzrs.net.nz/dns/dnssec, on December 9th 2011 at 10:00am the signed version of the .nz zone containing an un-obscured DNSKEY set was published. This effectively enables the validation of DNS data in the .nz zone. Later during the day, after verification, we submitted the DS records to IANA's Root Zone Management. The DNSKEY set looks like this: nz. 3600 IN DNSKEY 256 3 8 ( BAABAAGD+q3p2XDCb6SvAbACB/NPdljxhpBx2O9ZnvF2 OYb6kViMJ5dgxYDcFtvL5RW31Bc7UDvseoQPUK1wora3 BtUTylo1xd5PN/lV600mrNGRxfmw77Hen/MXH5GQrjaj O+rFP1xce1/jdyvCciJzrYRcPL9p4c/eGoJK3ZMubiu1 OQ== ) ; key id = 27212, ZSK nz. 3600 IN DNSKEY 257 3 8 ( BAABAAGwfTiEoh71o6S55+Mdy1qqVRnpKY1VHznrv+wx rPfvRGB5VivFFPFN+33fsaTxJQTceOtOna7IKxTffj6p bBG4a9vtk2FqF551IwXomKWJnzRVKqYzuAx+Os/5gLIN BH7+qRWAkJwCdQXIaJGyGmshkO5Ci5Ex5Cm3EZCeVrie 0fLI03Ufjuhi6IJ7gLzjEWw84faLIxWHEj8w0UVcXfaI 2VL0oUC/R+9RaO7BJKv93ZqoZhTOSg9nH51qfubbK6FM svOWEyVcUNE6NESYEbuCiUByKfxanvzzYUUCzmm+JwV7 7Ebj3XZSBnWnA2ylLXQ4+HD84rnqb1SgGXu9HZYn ) ; key id = 2517, KSK The DS records submitted to IANA are: nz. 3600 IN DS 2517 8 1 cb5f686cb7a500b344e33dbc5ca8183a4e5579ec nz. 3600 IN DS 2517 8 2 02240b41dfddaeca2d6227d75a3575d5ba2fd07e21577f1c506d98be491d6ff3 When IANA has processed the change request, the process of enabling the trust chain for the .nz zone will be complete. We advise against using these DS records as a trust anchor. The only valid trust anchor for .nz will be the DS records in the root zone. Kind Regards, -- Sebastian Castro DNS Specialist .nz Registry Services (New Zealand Domain Name Registry Limited) desk: +64 4 495 2337 mobile: +64 21 400535
Well done .nz! For those that might be interested in watching the DNSSEC rollout from the broad TLD perspective, keep an eye on http://stats.research.icann.org/dns/tld_report/ Cheers Terry On 09/12/2011, at 12:27 PM, Sebastian Castro wrote:
Continuing with the DNSSEC deployment scheduled detailed in http://nzrs.net.nz/dns/dnssec, on December 9th 2011 at 10:00am the signed version of the .nz zone containing an un-obscured DNSKEY set was published. This effectively enables the validation of DNS data in the .nz zone. Later during the day, after verification, we submitted the DS records to IANA's Root Zone Management.
The DNSKEY set looks like this: nz. 3600 IN DNSKEY 256 3 8 ( BAABAAGD+q3p2XDCb6SvAbACB/NPdljxhpBx2O9ZnvF2 OYb6kViMJ5dgxYDcFtvL5RW31Bc7UDvseoQPUK1wora3 BtUTylo1xd5PN/lV600mrNGRxfmw77Hen/MXH5GQrjaj O+rFP1xce1/jdyvCciJzrYRcPL9p4c/eGoJK3ZMubiu1 OQ==
) ; key id = 27212, ZSK nz. 3600 IN DNSKEY 257 3 8 ( BAABAAGwfTiEoh71o6S55+Mdy1qqVRnpKY1VHznrv+wx rPfvRGB5VivFFPFN+33fsaTxJQTceOtOna7IKxTffj6p bBG4a9vtk2FqF551IwXomKWJnzRVKqYzuAx+Os/5gLIN BH7+qRWAkJwCdQXIaJGyGmshkO5Ci5Ex5Cm3EZCeVrie 0fLI03Ufjuhi6IJ7gLzjEWw84faLIxWHEj8w0UVcXfaI 2VL0oUC/R+9RaO7BJKv93ZqoZhTOSg9nH51qfubbK6FM svOWEyVcUNE6NESYEbuCiUByKfxanvzzYUUCzmm+JwV7 7Ebj3XZSBnWnA2ylLXQ4+HD84rnqb1SgGXu9HZYn ) ; key id = 2517, KSK
The DS records submitted to IANA are: nz. 3600 IN DS 2517 8 1 cb5f686cb7a500b344e33dbc5ca8183a4e5579ec nz. 3600 IN DS 2517 8 2 02240b41dfddaeca2d6227d75a3575d5ba2fd07e21577f1c506d98be491d6ff3
When IANA has processed the change request, the process of enabling the trust chain for the .nz zone will be complete.
We advise against using these DS records as a trust anchor. The only valid trust anchor for .nz will be the DS records in the root zone.
Kind Regards, -- Sebastian Castro DNS Specialist .nz Registry Services (New Zealand Domain Name Registry Limited) desk: +64 4 495 2337 mobile: +64 21 400535 _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
Well done guys!
A great result. Now to get people to use it =)
Regards,
Dean
On Fri, Dec 9, 2011 at 3:27 PM, Sebastian Castro
Continuing with the DNSSEC deployment scheduled detailed in http://nzrs.net.nz/dns/dnssec, on December 9th 2011 at 10:00am the signed version of the .nz zone containing an un-obscured DNSKEY set was published. This effectively enables the validation of DNS data in the .nz zone. Later during the day, after verification, we submitted the DS records to IANA's Root Zone Management.
participants (3)
-
Dean Pemberton -
Sebastian Castro -
Terry Manderson