Built-in security — DNSSEC
The .govt.nz DNS service includes enhanced security with Domain Name System Security Extensions (DNSSEC) for domains using the government name servers managed by the Department of Internal Affairs.
DNSSEC confirms that the IP address returned for a specific domain name (the response) is from an authorised source and has not been tampered with.
DNSSEC makes it far more difficult for hackers to direct users to fraudulent sites by altering DNS responses so the hacker can steal the user's information.
In effect, the DNS Security Extensions attach a set of information called cryptographic signatures to the queries and responses for IP addresses. If your computer detects false or incorrect information then it will reject the response, as it does not contain the signature of the legitimate owner.
The user is kept safe as they have not been duped into entering their personal details into a fraudulent website.
Using DNSSEC requires it to be enabled for both the domain (on the name servers) and the end user (in the browser).
Implementing DNSSEC for your domain
If your .govt.nz domain names are hosted on the government name servers, you do not need to do anything. DNSSEC will be enabled automatically.
Support on own or 3rd party name servers
Support for DNSSEC is at the discretion of name server owners. The Department of Internal Affairs is unable to support DNSSEC on servers other than .govt.nz name servers. We encourage you to consider using the .govt.nz DNS name servers for your .govt.nz domains.
Implementing DNSSEC for your end users
DNSSEC is a relatively new technology and over the next few years we expect DNSSEC implementation to become commonplace. This will include DNSSEC automatically enabled within web browsers.
Currently users can install the DNSSEC/TLSA Validator plugin to achieve this. Supported browsers include: Internet Explorer, Mozilla Firefox, Google Chrome , Opera and Apple Safari.