<div dir="ltr"><div>Kia ora koutou,<br><br>InternetNZ is beginning its return to routine DNSSEC operations.<br>Starting on 15-07-2024(NZST), we will begin our improved process, which<br>incorporates changes from internal and external reviews following the<br>DNSSEC incident in May 2023.<br><br>This will consist of four short maintenance windows, in which we will<br>pause zone distribution to make changes, perform validation, and<br>resume zone distribution.<br>The status and scheduling will be posted to <a href="http://status.internetnz.nz/" rel="noreferrer" target="_blank">status.internetnz.nz</a>. To<br>be notified, subscribe to IRS Production > Zone Publish<br><br>Window 1<br>We will change the DS TTL in DNSSEC policy for the standby chain of<br>second level domains.<br>This change addresses the issues encountered in May 2023.<br><br>Window 2<br>We will perform a KSK rollover on the standby DNSSEC chain for nz,<br><a href="http://ac.nz/" rel="noreferrer" target="_blank">ac.nz</a>, <a href="http://co.nz/" rel="noreferrer" target="_blank">co.nz</a>, <a href="http://net.nz/" rel="noreferrer" target="_blank">net.nz</a>, <a href="http://gen.nz/" rel="noreferrer" target="_blank">gen.nz</a>, <a href="http://org.nz/" rel="noreferrer" target="_blank">org.nz</a>, <a href="http://govt.nz/" rel="noreferrer" target="_blank">govt.nz</a>, <a href="http://parliament.nz/" rel="noreferrer" target="_blank">parliament.nz</a>, <a href="http://geek.nz/" rel="noreferrer" target="_blank">geek.nz</a>,<br><a href="http://school.nz/" rel="noreferrer" target="_blank">school.nz</a>, <a href="http://kiwi.nz/" rel="noreferrer" target="_blank">kiwi.nz</a>, <a href="http://iwi.nz/" rel="noreferrer" target="_blank">iwi.nz</a>, <a href="http://maori.nz/" rel="noreferrer" target="_blank">maori.nz</a>, <a href="http://cri.nz/" rel="noreferrer" target="_blank">cri.nz</a>, <a href="http://health.nz/" rel="noreferrer" target="_blank">health.nz</a>, and <a href="http://mil.nz/" rel="noreferrer" target="_blank">mil.nz</a><br>This will generate new DNSSEC keys and add them to the standby signing chain.<br><br>Window 3<br>We will mark the keys generated in window 2 as active in the standby<br>DNSSEC chain.<br><br>Window 4<br>Window 4 will occur after the TTL safety period (2xTTL, 2 Days) has<br>lapsed and DNSSEC RRSET validation is possible via both the old keys<br>and new keys.<br>The DNSSEC policies updated in Window 1 with the correct TTL timing<br>will be enforced, this will result in the safe retirement of the old<br>keys and allow us to remove redundant keys from the zones.<br><br>The current standby chain key tags for each zone are as follows:<br>nz: 49157, <a href="http://ac.nz/" rel="noreferrer" target="_blank">ac.nz</a>: 5938, <a href="http://co.nz/" rel="noreferrer" target="_blank">co.nz</a>: 59176, <a href="http://cri.nz/" rel="noreferrer" target="_blank">cri.nz</a>: 19190, <a href="http://geek.nz/" rel="noreferrer" target="_blank">geek.nz</a>: 7171,<br><a href="http://gen.nz/" rel="noreferrer" target="_blank">gen.nz</a>: 48574, <a href="http://govt.nz/" rel="noreferrer" target="_blank">govt.nz</a>: 18181, <a href="http://health.nz/" rel="noreferrer" target="_blank">health.nz</a>: 33694, <a href="http://iwi.nz/" rel="noreferrer" target="_blank">iwi.nz</a>: 58454,<br><a href="http://kiwi.nz/" rel="noreferrer" target="_blank">kiwi.nz</a>: 47464, <a href="http://maori.nz/" rel="noreferrer" target="_blank">maori.nz</a>: 21689, <a href="http://mil.nz/" rel="noreferrer" target="_blank">mil.nz</a>: 43906, <a href="http://net.nz/" rel="noreferrer" target="_blank">net.nz</a>: 25105, <a href="http://org.nz/" rel="noreferrer" target="_blank">org.nz</a>:<br>24626, <a href="http://parliament.nz/" rel="noreferrer" target="_blank">parliament.nz</a>: 49424, <a href="http://school.nz/" rel="noreferrer" target="_blank">school.nz</a>: 27382<br><br>We would like to emphasise that if you encounter any DNSSEC issues,<br>please report them to us via <a href="mailto:registry@internetnz.net.nz" target="_blank">registry@internetnz.net.nz</a>.<br>We will keep you updated, and provide a summary report at the<br>conclusion of incident-related work.<br></div><br clear="all"><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><span><p dir="ltr" style="line-height:1.38;margin-top:10pt;margin-bottom:10pt"><span style="background-color:transparent;font-family:"Work Sans",sans-serif">--</span><br></p><p dir="ltr" style="line-height:1.38;margin-top:10pt;margin-bottom:10pt"><span style="color:rgb(32,32,32);font-family:Helvetica">Ngā mihi </span><span style="background-color:transparent;font-family:"Work Sans",sans-serif"><br></span></p><span style="font-family:"Work Sans",sans-serif;color:rgb(227,28,121);background-color:transparent;font-weight:700;vertical-align:baseline">Felipe Agnelli Barbosa</span><span style="font-family:"Work Sans",sans-serif;color:rgb(227,28,121);background-color:transparent;vertical-align:baseline"><br></span><font face="arial, sans-serif"><span style="background-color:transparent;vertical-align:baseline">DNS Specialist</span><span style="background-color:transparent;vertical-align:baseline"><br></span></font><span style="font-family:"Work Sans",sans-serif;color:rgb(227,28,121);background-color:transparent;font-weight:700;vertical-align:baseline">InternetNZ  |  Ipurangi Aotearoa</span><span style="font-family:"Work Sans",sans-serif;color:rgb(227,28,121);background-color:transparent;vertical-align:baseline"><br></span></span><div><font face="arial, sans-serif"><br style="color:rgb(136,136,136)"></font><span><span style="background-color:transparent;vertical-align:baseline"><font face="arial, sans-serif">We are the home of .nz and we work for an Internet that benefits all of Aotearoa.</font></span><span style="font-family:arial,sans-serif;background-color:transparent;vertical-align:baseline"><br></span><a href="https://www.internetnz.nz/" target="_blank"><span style="font-family:"Work Sans",sans-serif;color:rgb(17,85,204);background-color:transparent;vertical-align:baseline">www.internetnz.nz</span></a></span></div><div><br></div><div><font face="arial, sans-serif"><span style="font-weight:bold;color:rgb(227,28,121)">GPG:</span><span style="color:rgb(136,136,136)"><b> </b></span><font color="#888888">95C1 8BDC EFA7 9CAC 303D  003E A058 2449 D152 8580</font></font></div><div><font face="arial, sans-serif"><font color="#888888"><br></font></font></div><div><div><img width="200" height="65" src="https://ci3.googleusercontent.com/mail-sig/AIorK4w62rXlhPBDGFs_j_i50bJgnX8RAyjCK2vjxqkG1-T4tPr0nluW5zOEllcIkbuOWt1u6bxNZxQ"><br></div></div></div></div></div></div>