The Department of Internal Affairs (DIA) made the decision to reschedule the upcoming transition of the government Domain Name System (DNS) from 6–7 April to reduce the impact of this change across government.
Like many other agencies, over the past weeks DIA has prioritised its crisis management response to the Christchurch terror attacks. This has included instituting a change freeze to provide maximum system stability while this work is underway. We appreciate other agencies will be in a similar position, and the DNS transition has been rescheduled to provide more space for this work as well as the extended ANZAC Day/Easter break.
The article below has been updated to include the newly scheduled dates in May.
Following the previously announced transition of the government Domain Name System (DNS) to a new provider, more details are now available for agencies to prepare for the change. The DNS system operated by the Department of Internal Affairs underpins all .govt.nz and .parliament.nz domains, so most agencies in central and local government will be affected.
Things to note
The transition to the new system will take place over Monday 27 May and Tuesday 28 May. This is not expected to cause any downtime for DNS resolution and your domains will remain available throughout.
However, there will be a blackout for any DNS changes from 6.00pm on Friday 24 May until 7.00am on Wednesday 29 May. Ensure you plan to make any changes to zone or registrant information hosted by the government DNS system before or after this period.
Following the blackout period all DNS changes will be made via the new domain management portal at dns.digital.govt.nz. From this time, technical support will continue to be available via email at firstname.lastname@example.org, or on the new freephone number 0800 LDNS999 (0800 536 7999). Please note, the existing portal at portal.dns.govt.nz will no longer be available from this date.
Getting ready for the change
What do agencies need to do beforehand?
No action is required by you for the transition of your domains to the new system.
Agencies currently signed up to the DNS management portal will have the opportunity to set up accounts on the new portal ahead of time. The government domain service will reach out to existing agency portal users to set up their account and show them how to on-board other users in their organisation.
This is a good time to choose a new password, and to assess if all of the user accounts attached to your organisation are still current.
Do agencies need to carry out any testing during or after the transition?
Following the transition, the Department of Internal Affairs and Liverton Security will verify that the publicly available DNS information on the new system is identical to the previous one and test the availability of the system from a number of nodes around the world.
However, you may wish to carry out your own testing, particularly for critical services. This might include checking that websites, mail servers and APIs are operating as expected. If you have services you’re concerned about or would like to receive updates during the transition, get in touch by email at email@example.com or on telephone (04) 460 2299.
What if I need to make changes during the blackout period?
Please contact the government domain service if you’re impacted by the blackout period to discuss possible workarounds, or to get more details on emergency protocols for changes during the blackout.
How is the new system different?
The processes surrounding domain registration, management and support will remain much the same as now.
Portal users will have to set up a new two-factor authentication method upon their first login, using a token-based app like Google Authenticator instead of SMS. Please note the new management portal will not function in Internet Explorer 11, so you’ll have to use another browser like Chrome, Firefox or Edge.
This new platform will allow for a higher level of security, availability and resilience. The number of name servers will be increased to five, with an increased level of redundancy that will also ensure the management portal is more highly available than before.
New features that will be rolled out include support for new record types, domain-specific permissions for users, and the management and hosting of non-.govt.nz domains. An API for DNS management will also be made available later in the year.
How does this affect security certification?
The Department of Internal Affairs will provide an up-to-date risk position via email prior to the transition, having assessed the new system alongside a number of external parties. An all-of-government security certification process will be in progress at this time and completed shortly after.
The government DNS system is moving to a new provider following the expiration of the current contract. Liverton Security is a New Zealand owned and operated cyber security supplier, and has previously built the core infrastructure for SEEMail for the New Zealand Government. The change will see all current .govt.nz and .parliament.nz domains shift to Liverton Security.
Contact information and links
Government domain service (DIA): (04) 460 2299
Liverton Security technical support: 0800 LDNS999 (0800 536 7999)
Emergency requests during blackout: 027 268 7494
New domain service email address: firstname.lastname@example.org
DNS management portal from 29 May: dns.digital.govt.nz
Information on government DNS: digital.govt.nz/DNS