Skip to main content

Built-in security — DNSSEC

The DNS service includes enhanced security with Domain Name System Security Extensions (DNSSEC) for domains using the government name servers managed by the Department of Internal Affairs.

DNSSEC confirms that the IP address returned for a specific domain name — the response — is from an authorised source and hasn’t been tampered with.

DNSSEC makes it far more difficult for hackers to direct users to fraudulent sites by altering DNS responses so the hacker can steal the user’s information.

In effect, the DNS Security Extensions attach a set of information called cryptographic signatures to the queries and responses for IP addresses. If your computer detects false or incorrect information then it will reject the response, as it does not contain the signature of the legitimate owner.

The user is kept safe as they have not been duped into entering their personal details into a fraudulent website.

Using DNSSEC requires it to be enabled for both the domain (on the name servers) and the end user (in the browser).

Implementing DNSSEC for your domain

If your domain names are hosted on the government name servers, you do not need to do anything. DNSSEC will be enabled automatically.

Support on own or 3rd party name servers

Support for DNSSEC is at the discretion of name server owners. The DIA is unable to support DNSSEC on servers other than the government name servers. We encourage you to consider using the government DNS name servers for your domains.

Implementing DNSSEC for your domain

DNSSEC is a relatively new technology and over the next few years we expect DNSSEC implementation to become commonplace. This will include DNSSEC automatically enabled within web browsers.

Currently users can install the DNSSEC/TLSA Validator plugin to achieve this. Supported browsers include: Internet Explorer, Mozilla Firefox, Google Chrome, Opera and Apple Safari.

DNSSEC/TLSA Validator plugin

Detailed information about DNSSEC

Domain Name System Security Extensions — Wikipedia

DNSSEC — New Zealand Registry Services

Tools that show if DNSSEC is enabled for a domain

DNSSEC Tools — Internet Society

DNSSEC Analyzer — Verisign Labs


Utility links and page information

Was this page helpful?
Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

Last updated