Domain name management portal user guide

Introduction

About this section

This section of the guide provides you with an overview of your role and responsibilities as Agency Super User (ASU), including:

• Accessing the Portal
• Choosing and managing your team of Agency Users (AU)
• How to: Log in
• How to: create Agency Users

The remainder of the guide is a full step by step reference to using the Portal.

The latest user guide is always available at digital.govt.nz

DNS Service

This service, provided by the Department of Internal Affairs, is the registration and management of .govt.nz and .parliament.nz internet domain names for central and local government. The service also includes infrastructure for hosting these domain names. It is critical to the functioning of government online information/services.

For more information go to dns.govt.nz

Domain Name Management Portal

The Portal is an easy, efficient and secure way for you and your staff to manage your .govt.nz or .parliament.nz domain names and/or apply for new domain names.

Accessing the Portal

There are two levels of access to the Portal: Agency Super Users (ASU) and Agency Users (AU).

Two-factor authentication (2FA)

The Portal uses two-factor authentication (2FA). This means that prior to making changes, a code is sent to your mobile phone. You will be asked to enter that code back into the Portal in order to continue editing, and so the changes can take effect.

Agency Super Users (ASU)

Your access level is ASU.

Your ASU User Account has been set up by DIA. You (the Agency Super User) are responsible for maintaining your own Contact and User Account details and keeping these up-to-date.

What can you do in the Portal?

You can:

• Create and edit zone data for your .govt.nz and .parliament.nz domain names hosted on the government name servers
• Update registry (WHOIS) data for all your .govt.nz and .parliament.nz domain names
• Submit applications for new .govt.nz and .parliament.nz domain names
• Create Agency Users who can also undertake these tasks

(You may not wish to personally manage the domain names for your agency. If this is the case we recommend you create Agency Users.)

Your responsibilities

Managing Agency Users (AU)

• You can create as many AUs as you like (see page 7 for how to create an Agency User).
  • An AU has the same user permissions as an ASU, except an AU cannot create other users.
• You are responsible for your AU(s)’s access to the Portal.
• You can also create, edit or delete all your Agency User(s)’ account information.
• You are responsible for ensuring that the Contact and User Account details of an AU who leaves the organisation or is no longer required in that role, are deleted

Choosing the right person for the AU role

Generally speaking, an AU should be someone to whom you wish to delegate responsibility for the operational management of your organisation’s domain names. Every organisation is different and so an AU’s exact position may vary.

Agency User(s) could be staff from within your IT security, network infrastructure or web teams, or could be a third party vendor/contractor.

The AU does not have to be an employee of your organization.

The important thing is that the person understands the responsibilities of being an AU and the nature of the DNS system to which they are being given access.

How to add more Agency Super Users (ASUs)

If you need to add more ASUs please contact the Namespace Manager at the Department of Internal Affairs.

We recommend you have two if possible, in order to provide coverage during times of annual/sick leave or other emergency situations.

Choosing the right person for the ASU role

An ASU must be an employee of your organization.

An ASU should be someone within your organisation who holds a position of responsibility, preferably within your IT team. In larger organisations, this could be the team leader for security or networks. In smaller organisations, this may be the IT communications manager or Chief Information Officer.

Every organisation is different and so an ASU’s exact position may vary. The important thing is that this person understands the responsibilities of the ASU and the nature of the DNS system to which they are being given access.

If you do not have access to the Portal, how do you make DNS changes?

Please contact us. We will manually authenticate that the person requesting the change has the authority to do so. In the case of emergency or any other change, the timeliness of our response cannot be guaranteed, which could have a negative impact if emergency DNS changes are required.

Contact and support

Support for using the Domain Name Management Portal

Liverton Security is available 8am to 5pm on business days.

Phone: 0800 536 7999 (NZ only)

The Support Centre can provide you with help using the system, including advice on making DNS changes. There is no charge for this.

Liverton Security will ask for your security question to authenticate your identity. If they can’t authenticate your identity, you’ll be referred to DIA.

Out of hours support

If you need urgent support or manual changes outside of business hours, Liverton Security will charge your organisation directly at an hourly rate of $145 and at a fixed rate of $12 for each change.

General Contact

Contact the Moderator at The Department of Internal Affairs about:

• getting access to the Domain Name Management Portal
• getting a domain name.

Domain Name Service (DNS)

Email: domains@digital.govt.nz

Phone: +64 4 460 2299

Government Information Services

Department of Internal Affairs

PO Box 805

Wellington 6140

New Zealand

How to: Create Agency User (AU) accounts

About this section

This section provides you with detailed steps for creating Agency User accounts including:

• Creating contact records
• Creating User Accounts
• Updating accounts
• Deactivating accounts

Two-factor authentication (2FA)

Reminder: when accessing the User Accounts part of the system, a code will be sent to your mobile phone, and you will be asked to enter that code back into the Portal.

You can create and edit all the account information for your Agency Users.

There are two stages to creating an Agency User (AU) account. The stages must be completed in the following order:

1. Create: Contact
2. Create: User Account

Create: Contact

A Contact record must be created first, before creating a new User Account. The Contact record includes the user’s contact details, such as email address and mobile number.

To do this:

1. Select User Accounts (located under Clients in the left hand menu).
2. Select Authenticate.
3. Follow the prompts to receive the 2FA code required to access User Accounts (you will only be prompted to do so once for this session).
4. Enter the code into the 2FA Code: field and select Submit.
5. You will now be taken to the User Accounts page, where you can see a Contacts tab and a User Accounts tab.

Creating the new contact record

1. Select the Contacts tab.
2. Select the Add Contact button (found below the list of Active Contacts). You will now be taken to the Create Company Contact form (note that “Company” means your organisation).
3. Enter the Agency User details including Position, First Name, Last Name, Email address, Address and City. You must fill in all the fields in the form marked with an asterisk in order to save the contact.
4. Note: Check the details are correct. This is important as the person’s email address will become their user name.
5. Select Create. This completes the Add Contact process.

When you have successfully created a Contact record you will be directed back to the Contacts page. The newly created record will appear in the Active Contacts list.

Create: User Account (Agency User)

A User Account can only be created after you have created the Contact record.

To do this:

1. On the Contacts page, select User Accounts.
   A list of Active Accounts will be displayed. This is where you will create the new User Account.
2. Select Create Account (located below the list of Active Accounts). You will then be redirected to the “Create New Account” page.
3. Select the Contact using the dropdown menu.
4. The New Account form will be automatically completed with the Contact details.
5. Select the User Type (Agency User) from the drop down menu.
6. Once you have completed the form, check the details are correct.
7. Select the Create Account button.
8. A notification email will automatically be sent to the Agency User. The email will include a link to the Domain Name Management Portal and instructions on how to log in for the first time.

Managing User Accounts and Contacts

Updating Contact or User Account information

Agency Users (AU) are responsible for maintaining their own contact information. (You can also create and edit the account information for all your Agency Users).

To update Contact or User Account information:

1. Access Account Details by selecting the name of the Contact or User, on either the Contacts page or User Accounts page.
2. Complete 2FA if required (you will only be prompted to do so once for each session.)
3. Select the name of the Contact or User Account you wish to edit.
4. Change the necessary information.
5. Select Update [Contact] or Update Account [User Account].

Deleting an Agency User Account or Contact

Note: User Account records are not deleted from the system. Instead they are made Inactive.

Deactivate User Accounts

1. Select the User Accounts tab. This will display a list of Active accounts for your agency.
2. Select the relevant account name. This will take you to the Account Details view.
3. Untick the box beside the field labelled Active. This renders the account Inactive (also called Historic)
4. Select Update Account
5. You will see the message ‘User account updated successfully’ above the record.

Deactivate Contacts

Note: Contact records are not deleted from the system. Instead they can be made Historical.

To deactivate a Contact, first you must delete any User Accounts associated with a Contact, then make the Contact record historic.

1. Select the Contacts tab. This will display a list of Active Contacts for your agency.
2. Select the relevant Contact.
3. The Contact’s detailed information form will appear.
4. Change the Contact's status from "active" to "historical.
5. Select the Update button below the form. This completes the deactivation process. Any Contacts made "historical" will appear in the "Historic Contacts" list which appears beneath the "Active Contacts" list.

Managing your domain names

About this section

This section provides you with an overview of the editing and publishing process for managing your domain names, including:

• How to: edit a zone file
• How to: update your WHOIS records
• How to: renew a domain name
• How to: cancel a domain name

To do any of these things:

1. From the left hand menu: select Applications, then Domains
   2FA is not required to access this area but will be required when you make a change to a domain name.

On the Domains page, you will find 4 tabs:

• My Requests – displays the moderation status for all your domains (approved/cancelled/under moderation)
• My Domains – displays a list of all your .govt.nz or .parliament.nz domain names, including those not hosted on the government nameservers. You can edit the WHOIS records for any of these domain names.
• Zones – displays only your domain names which are hosted on the government nameservers. You can edit these zones
• Activity History - displays a list of all changes you make to your domain names and subsequent related activities by other users.

Overview of the zone edit/publish process

The system maintains multiple versions of your zones. These are:

• Live Revision (status = current) – this is the published version which is currently live on the internet
• Draft Revision (status = working) – this is a copy of the Live Revision, automatically renamed to “working” and ready for editing
• Historic Revision (status = old) – this is an older version. If required this version could be “reverted” and used again as a Draft Revision and then published to Live.

Edits to the Zone File are always made using a Draft Revision. This Draft Revision must then be reviewed, saved and submitted.

Editing a Zone File

1. Select the My Domains tab
2. Select the relevant domain name
3. Select the DNS Zone tab. This displays the Live Revision (current)
4. Select Edit.
5. This displays a Draft Revision for you to edit.

Draft Revision of Zone Data

The Draft Revision page displays several editing options including:

• revision history
• review and save changes
• edit TTL
• add new resource records

Revision history: displays all available versions of the zone data, including Live Revision (current), Draft Revision (working), Historic Revision (old).

Review and Save Changes: displays your changes for review prior to submitting them. 2FA is needed to undertake this action.

Default TTL value

The Default TTL (Time To Live) is the amount of time DNS records stay ‘alive’ for. All records use the default TTL, however you can change this manually to use a different value TTL within each individual record.

The TTL is displayed in days, hours, minutes and seconds. However the TTL must be entered as the total number of seconds.

Eg; 3600 = 1hr

Note: you can use shorthand for TTLs. e.g.:

• 5m for 5 minutes
• 1d for 1 day
• 2h for 2 hours.

If abbreviations are not used the number defaults to seconds, e.g. 300 = 300 seconds

DNS Records

The following section describes the types of zone files you can use.

To add a DNS record:

1. From the dropdown menu select the type of record you wish to add e.g. A
2. Select Add New

The Types of records available and their uses are explained below:

A Record

The most common record type. It is used to point a URL e.g. mydomain.govt.nz, to a webserver’s IP address e.g. 22.231.113.64

Note: The light grey text displayed in some fields is the default value that will be used if no information is entered.

Name field: This is the URL you are creating the record for. If no information is entered here, the main domain record will be used.

If you type a subdomain e.g. www, the domain name will be added to it in this format - www.exampledomain.govt.nz.

If you type a full stop after the subdomain, the name will not be added to the front of the domain name. If you type a full stop you must then type the full domain name.

TTL Field: In the example shown, the default TTL of 4 hours will be used unless another value specific to this line item is typed into that field. (For more on editing TTLs see the above section Default TTL value.)

IP Field: Enter the IP address of the server this record will point to, e.g. 255.255.255.255

AAAA Record

Similar to an A record, but it can contain a larger number of individual records. It is used to point a URL e.g. mydomain.govt.nz, to a webserver’s IPv6 address e.g. 2400:1200:1:1:2:2:3:123

AAAA records will eventually replace A records.

Name field: This is the URL you are creating the record for. If no information is entered here, the main domain record will be used.

If you type a subdomain e.g. www the domain name will be added to it in this format - www.exampledomain.govt.nz.

TTL Field: In the example shown, the default TTL of 4 hours will be used unless another value specific to this resource record is typed into that field. (For more on editing TTLs see the above section Default TTL value.)

IP Field: You need to enter the IP address of the server this record is pointing to. It will be in a format such as 2400:1200:1:1:2:2:3:123

SRV - Service Record

These are used to define which server handles a specific service.

SRV Fields are:

srvce.prot.name     ttl     class     rr     pri     weight port     target

• service: the symbolic name of the desired service.
• proto: the transport protocol of the desired service; this is usually either TCP or UDP.
• name: the domain name for which this record is valid. (The domain name will automatically be appended, unless a full stop is used.)
• TTL: standard DNS time-to-live field. Note: you can enter shorthand e.g. 5m for 5 minutes 1d for 1 day and 2h for 2 hours.
• class: standard DNS class field (always set to: IN so this field is not editable)
• priority: the priority of the target host - lower value means more preferred.
• weight: a relative weight for records with the same priority.
• port: the TCP or UDP port on which the service is to be found.
• target: the canonical hostname of the machine providing the service. (The domain name will automatically be appended, unless a full stop is used.)

MX - Mail Exchange Record

This maps a domain’s mail traffic to a specific server using the server’s hostname.

Name field: This is the URL you are creating the record for. If no information is entered here, the main domain record will be used.

If you type a subdomain e.g. www the domain name will be added to it in this format - www.exampledomain.govt.nz.

TTL Field: In the example shown, the default TTL of 4 hours will be used unless another value specific to this line item is typed into that field. (For more on editing TTLs see the above section Default TTL value.)

Pref Field: the priority value of the mail server. A lower value means more preferred.

Your primary mail server should be a low number e.g. 5 or 10

Any back up mail server would be a higher number e.g. 20 or more.

Name Field: The URL of the Mail server.

Note: It’s not possible to point your domain name directly to a Mail Server’s IP address. If you only have an IP address, create an A record first e.g. mail.yourdomain.govt.nz and point that to the IP address. You can then point your MX record at that subdomain.

TXT (includes SPF records)

This is a free text record, originally used as a manual notation record. It is now used in SPF records and to verify ownership of a domain. SPF records define which servers can send mail for a particular domain.

Name field: This is the URL you are creating the record for. If no information is entered here, the main domain record will be used.

If you type a subdomain e.g. www the domain name will be added to it in this format - www.exampledomain.govt.nz.

TTL Field: In the example shown, the default TTL of 4 hours will be used unless another value specific to this line item is typed into that field. (For more on editing TTLs see the above section Default TTL value.)

Text Field: You can type or paste any text as required. Enclose all text, including SPF records, in speech marks e.g. "v=spf1 include:exampledomain.govt.nz-all".

If speech marks are not used, they will be automatically added around each word e.g. "example" "of" "not" "using" "speechmarks".

CNAME

The Canonical Name record makes the domain an alias of another domain.

E.g. CNAME a.govt.nz to b.govt.nz

This means that, when browsing to a.govt.nz you will be taken to the website at b.govt.nz. And when browsing to subdomain.a.govt.nz you see the content of subdomain.b.govt.nz.

Name field: This is the URL you are creating the record for. If no information is entered here, the main domain record will be used.

If you type a subdomain e.g. www the domain name will be added to it in this format - www.exampledomain.govt.nz.

TTL Field: In the example shown, the default TTL of 4 hours will be used unless another value specific to this line item is typed into that field. (For more on editing TTLs see the above section Default TTL value.)

Canonical Name Field: the target URL for this record, e.g. anotherdomain.govt.nz

NS

The Name Server Record defines where the zone data for the domain name is hosted. By default you will have two NS records already created and pointing at the Government Name Servers.

Note: you can point a subdomain to another name server if you wish.

Name field (on the left): This is the URL you are creating the record for. If no information is entered here, the main domain record will be used.

If you type a subdomain e.g. www the domain name will be added to it in this format - www.exampledomain.govt.nz.

TTL Field: In the example shown, the default TTL of 4 hours will be used unless another value specific to this line item is typed into that field. (For more on editing TTLs see the above section Default TTL value.)

Name Field (on the right): this is the URL of the Nameserver you wish to point the subdomain at. The nameserver will host zone data for this subdomain. A subdomain’s nameservers could, in theory, be hosted on the same domain. Therefore the zone’s domain will automatically be appended for you and will display on the end of your text, unless a full stop is used.

Saving Changes

Once you are ready to save all the changes you have made in the Draft Revision:

1. Select Review and Save changes
2. You will be prompted to complete 2FA before being able to proceed with confirming the changes and making them Live.
3. To make the changes Live select Save below the form.
4. Once completed you will see the success message ‘Changes have been saved’.

Revision History

If you need to view an old DNS revision (i.e. earlier) of a domain:

1. From left hand menu select Domains
2. Select the Zones tab
3. Select the domain name you wish to view
4. Select Revision History
5. This displays a list of Live (current), Draft (working), and Historic (old) DNS revisions.

• Live Revision (status = current) – this is the published version of the zone data which is currently published and live on the internet
• Draft Revision (status = working) – this is an editable copy of the Live Revision, automatically given “working” status. It contains any proposed DNS changes not yet made live.
• Historic Revision (status = old) – this is an older version (there can be more than one), and is not in use. If required an old version can be found in Revision History and could be “reverted”. That is, used again as a Draft Revision and then published to Live.

How to: Revert to an Old revision

1. Select View (on the left) for the Old revision version you require
2. Review the settings to ensure they are correct
3. Select Revert
4. This will create a new Draft Revision, with all the settings of the chosen Old revision.
5. Edit the draft as needed, or
6. Make live by selecting Review and Save.

How to: Update your WHOIS Records

From within the Portal you can view and edit all your .govt.nz and parliament.nz domain name contact details, regardless of whether their zones are hosted on the government nameservers.

It is important to ensure that your domains' contact details are correct and up to date. This information appears in the publicly accessible WHOIS record for your domain and can be viewed at dnc.org.nz.

Note: Under the .nz Domain Name Commission's Principles and Responsibilities policy – Section 9, it is a Registrant's responsibility to keep all of their WHOIS information current and accurate.

The email addresses in the WHOIS record could be used to contact you by:

• Digital Certificate companies to verify your “ownership” of the domain
• The Department of Internal Affairs and/or the Domain Name Commission

There are three contacts:

• Registrant contact is the legal 'owner' of the domain. This should be the formal name and contact details for your organisation. We recommend using a regularly monitored generic or group email address.
• Administrative contact is the person or role with the authority to administer the domain, e.g. make/approve changes to the DNS records. We recommend using a regularly monitored generic or group email address.
• Technical Contact is the person or company that manages the nameservers where your zone data are hosted.

To do this:

1. From the left hand menu select Applications/Domains.
   2FA is not required to access this area.
2. Select the My Domains tab
3. Select the relevant domain name. You will be taken to the to the Domain Details page
4. Select Edit.
5. You will be taken to the Contact Details form. This is where you can edit the contact details for your domain name. This information will appear in the publicly accessible WHOIS record for your domain.
6. When you have finished editing, select Submit.

How to: Cancel a domain name

Domain names should be cancelled when they are no longer required.

To do this:

1. From the left hand menu select Applications/Domains.
   2FA is not required to access this area.
2. Select the My Domains tab
3. Select the relevant domain name. You will be taken to the to the Domain Details page
4. Select Cancel. You will be taken to the Cancel Domain page. 2FA will be required before you can continue.
5. After successfully entering your 2FA code, confirm the cancellation of the domain by selecting Confirm.

Note: When a domain is cancelled it will have a status of "Pending Release" for 90 days. After this time, it does not automatically become available for other agencies to use. Another agency will have to apply for the name and provide a sound business case explaining their eligibility to use the name space and the rationale for requiring a name.

How to: Renew a domain name

The Department of Internal Affairs is concerned about the number of individual domain names held by government because of the impact this has on maintenance of the .govt.nz domain name space. Equally important is the effect on and New Zealanders’ ability to find government information. We are encouraging agencies to take a long-term, strategic and user-centred approach to their use of domain names.

While the Department automatically renews all domain names for 12 months on the anniversary of their original registration, the Portal will also prompt you to “Acknowledge Renew”. This is an opportunity for you to consider whether a name is still required or should be cancelled.

“Acknowledge Renew” also provides the Moderator with an overview of which domain names are being actively managed.

The Acknowledge Renew button will only appear one month prior to the domain's expiry. At that time a notification email which will be sent to the Agency Super User.

To Acknowledge Renew the domain:

From within the email, select the link. You will be taken to the Portal renewal page.

Or do the following:

1. From the left hand menu select Applications/Domains.
2. Select the My Domains tab
3. Select the relevant domain name. You will be taken to the to the Domain Details page
4. Select the Acknowledge Renew button.
5. You will be taken to a page where you will finalize your acknowledgement to renew this domain. Select Renew.
6. You will be taken back to the Domain Details tab, where the following message will display, informing you of the successful acknowledgement.

Getting a domain name

About this section

This section provides you with information about applying for a domain name including links to information and resources required to prepare your business case.

Before submitting an application

All domain name applications go through a moderation process.

If you think you need a new .govt.nz domain name, please contact the Moderator via dns.govt.nz/contact-and-support, at the Departmental of Internal Affairs to discuss your requirements and to learn more about the application process.

We will work with you to determine your eligibility and identify options to meet your needs and the needs of your users.

Before submitting your request online, you will be required to prepare a business case.

Submitting your request online, including a downloadable version of the application form questions

Applications need to be submitted online via the Domain Name Management Portal by an Agency User (AU) or Agency Super User (ASU).

Applications will be acknowledged within 1 – 2 working days. Please allow up to 15 working days for the application process.

Approval of applications for names is not automatic or guaranteed. Each decision is made case by case.

Submitting a Domain request

To do this:

1. From the left hand menu: select Applications/Domains. You will be automatically directed to the My Requests tab.
   2FA is not required to access this area.

Check availability

The first step is to check if the domain name you wish to request is available.

To do this:

1. Select Request Domain.
2. On the Check Domain Availability page, enter the domain name you want to apply for. If you require macronized letters, select from the 5 macronized vowels which will appear in a drop down list beneath the name field.
3. Select Check Availability
4. You will be shown two domains, e.g. test500.govt.nz and test500.parliament.nz, if the domain you requested does NOT have macronized letters and IS available.

5. You will be shown 4 domains - 2 with the macronized vowels and 2 without - if the domain you have requested DOES HAVE macronized letters and IS available.

6. Choose the name you wish to apply for by selecting Request Domain.
7. You will be directed to the registration form.

The Registration Form

Follow the on screen instructions to complete the registration form.

Note: you can save your application as a draft. Draft applications are deleted after 14 days.

1. Nameserver information – Use Government nameservers? is ticked by default. Untick this box if you wish to use alternative nameservers. The Edit Nameservers fields will be displayed.
2. Autofill form using an existing Domain - If you have previously requested a .govt.nz domain using the Domain Name Management Portal, and it has been approved, you can use this dropdown menu. This will autofill the form with details from an existing approved domain.
   Note: If this is your first domain request in the Portal, the dropdown menu will be blank until you've completed your first domain request and it is approved.
3. Contact Information – Enter the contact details for Registrant contact and Administrative contact (Technical contact details are only required if you have chosen not to use the Government Nameservers).
   Contact details should be consistent with your agreed WHOIS details. For more information about correct WHOIS details see the section: How to: Update your WHOIS Records.
4. Business Case – All fields are mandatory. Begin by choosing Type of Government from the dropdown menu, and then Type of Domain. Fill out the form by entering the information you have prepared using the downloadable application form questions.
   If you think you need a new .govt.nz domain name, please contact the Moderator at the Departmental of Internal Affairs to discuss your requirements and to learn more about the application process.
5. Terms and Conditions – review the Terms and Conditions and then tick the Accept checkbox.
6. Select Submit