DNS
We operate the authoritative DNS infrastructure for .nz and the second-level domains (2LDs) under .nz, such as .co.nz, .org.nz, etc. This infrastructure is necessary to enable .nz domain names to work and consequently has to be available 100% of the time to ensure that there is never a time when .nz domain names cannot be used.
Architectural Principles
To maintain this 100% availability we operate a network of nameservers within NZ and use two international providers of a global network of nameservers. The DNS protocol makes this easier by automatically routing around failure and we enhance that by using a technology called anycast on some nameservers that makes multiple servers appear as one.
This architecture provides both geographical diversity (both nationally and internationally) and topological (network) diversity. The geographical and topological diversity ensures that while some servers may cease to be available at any given time, the routing will allow for continued access to the .nz domain name service, thereby eliminating single points of failure.
In addition to we operate on the principle of ‘genetic diversity’, whereby we deliberately use different hardware, different operating systems and different nameserver software across our entire nameserver provision. This is quite different from normal IT operations where every effort is made to standardise hardware and software to reduce costs, but taking this approach isolates any fault inherent in particular hardware or software to only a segement of our nameservers.
Nameservers
Nameserver | Provider | Location | Type | IP Addresses |
---|---|---|---|---|
ns1.dns.net.nz | InternetNZ | New Zealand | Unicast | 202.46.190.130 / 2001:dce:2000:2::130 |
ns2.dns.net.nz | InternetNZ | New Zealand | Anycast | 202.46.187.130 / 2001:dce:7000:2::130 |
ns3.dns.net.nz | InternetNZ | New Zealand | Anycast | 202.46.188.130 / 2001:dce:d453::53 |
ns4.dns.net.nz | InternetNZ | New Zealand | Anycast | 202.46.189.130 / 2001:dce:d454::53 |
ns5.dns.net.nz | CIRA | Multiple International | Anycast | 185.159.197.130 / 2620:10a:80aa::130 |
ns6.dns.net.nz | CIRA | Multiple International | Anycast | 185.159.198.130 / 2620:10a:80ab::130 |
ns7.dns.net.nz | Netnod | Multiple International | Anycast | 194.146.106.54 / 2001:67c:1010:13::53 |
DNS Monitoring
All our nameservers are locally and remotely monitored and we capture, aggregate and analyse traffic across them to understand their response characteristics and the characteristics of how clients use them.
DNSMON
External monitoring results of the performance of the .nz secondary name servers is available from the RIPE NCC DNS Monitoring Service (DNSMON). DNSMON provides a comprehensive, objective and up-to-date overview of the quality of the service provided by the .nz secondary name servers. See https://atlas.ripe.net/dnsmon
WAND AMP
A number of our servers are also monitored through the WAND AMP system of probes.
Internationalised Domain Names (IDN)
The registration of IDNs (internationalised domain names) with macronised vowels which feature in the Māori language, an official language under New Zealand law, is permitted in the .nz name space.
Third level domain names (3LD) are allowed to consist of 26 basic English (Latin) alphabet characters a-z, digits, the ‘-‘ hyphen, and characters ā, ē, ī, ō and ū.
In addition to the extra characters for 3LDs the second level māori.nz (with the ā macron) is provided as a mirror of the maori.nz 2LD using the DNS feature called DNAME. This ensures that all existing and future names registered under maori.nz are duplicated in the DNS under māori.nz.
For additional information please see https://docs.internetnz.nz/features/idn/
Zone data and builds
The .nz zone and second level zones (.co.nz, .org.nz, etc) change throughout the day as new domain names are registered, domain names are cancelled and amendments are made in the SRS database. Accordingly these are built using the SRS database as the authoritative register of domain names at regular intervals.
Currently we update the second level zones every hour with the changes made over the last hour and do a full rebuild once a day. We use multiple techniques to check the integrity of zones before and after they are distributed to the nameservers.
The distribution of zones sees them first being loaded on two hidden primary nameserver that then securely contact the secondary nameservers, who then contact a primary and securely download the zone updates.
What We Publish In Our Zones
The SRS accepts authoritative name server details, for up to 10 nameservers, for any .nz domain name and the details of these nameservers are published in the .nz zones as delegations. There is no requirement that any delegated name servers are within the domain for which they are authoritative and we do not check the nameservers to ensure they are operating or configured correctly.
Glue Records
Where the nameservers for a domain are under the domain name itself then we require the IP addresses (IPv4 and/or IPv6) for the nameservers, to be supplied before we can publish the delegations. These IP address details are generally known as ‘Glue Records’. If registrars provide IPv6 addresses, there MUST be an IPv4 address provided, not just an IPv6 address.
More details are available from the SRS documentation: