The .govt.nz domain is managed by the Government Information Services (GIS) group of the Department of Internal Affairs (DIA). GIS serves as official registrar and moderator for .govt.nz domain names.
Operation of the .govt.nz domain name servers and maintenance of zone files are outsourced to an external provider. The provider also hosts and maintains the dns.govt.nz website that Government clients use to request domain names and changes to their zone data. This online application is outdated and lacks desired functionality. Additionally, neither the online tool nor the name servers have kept up with changes in DNS technology.
Much of DIA's function as registrar involves the simple exchange of requests and notifications between Government clients and the external service provider. This requires administrative resources that could be better applied elsewhere. It also forces agencies through a single channel with limited availability.
This presentation describes at a high level how the .govt.nz domain name system works, and planned updates to the features and security of this critical infrastructure.
Other Presentations in This Series
This is one in a set of five presentations by the Digital Engagement team in Internal Affairs (DIA) on projects they are leading across government to improve how Government interacts with people online. The other four presentations are also available on the Web Toolkit:
- Digital Engagement Team Projects: An Introduction - Laura Sommer (Manager Digital Engagement) provides background information and an overview of the projects.
- Redevelopment of newzealand.govt.nz - Jared Gulian (Principal Advisor Digital Engagement) and Nathan Wall (Information Architect) review how the new website will provide all-of-government information based on users needs, with plain English content and features that are easy to understand.
- Domain Integrity Project - Rowan Smith (Senior Advisor Digital Engagement) talks about the current state of agencies’ web presence and creating an environment in which users can interact safely and securely with government online.
- Government Online Engagement Services (GOES) - Nadia Webster (Senior Advisor Digital Engagement), talks about GOES, which will establish an online engagement service to help agencies actively connect with the public, users and other agencies.
Hi, I’m Jason Kiss. And while I work mostly on web standards and accessibility, I’m also responsible for advising on direction for the .govt.nz domain name service. And I’ll talk to you a little bit very briefly about that today. So DNS of course stands for Domain Name System, which is basically just that worldwide network of computers that serves somewhat effectively as a phone book for the internet.
So for example, when you type in a domain name, something like google.co.nz into your web browser, that sends out a request to the DNS asking it to translate that domain name into an IP address of the computer, the web server that’s actually hosting that website. Then your browser knows where to go in order to find that website and access it. So that’s basically all the DNS is.
Most government websites use a .govt.nz domain name. And this not only serves to identify the website as belonging to the New Zealand government, but ideally, engenders that website with some degree of authority and trust. And so all of the things that we’re doing with the DNS programme, you’ll hopefully recognise some of the alignment with the Domain Integrity Project that Rowan was just talking about.
GIS, Government Information Services, we act both as a registrar and a moderator for the .govt.nz domain names. So basically, if you want a government domain name, you ask us. And then we make a decision based on the official moderation policy that exists as to whether or not to approve that domain name. And then once approved and registered, that domain name then gets registered with the name servers. And all of that aspect of things, the technical operational side of things, that gets dealt with by an external vendor that we outsource that activity to.
So the current moderation policy, it identifies what qualifies as a permissible .govt.nz domain name. It also identifies who is eligible to apply for a domain name. And that includes local and central government agencies and various other statutory bodies.
So while the moderation policy does identify some of these criteria, it doesn’t have as much guidance and clarity as it could. And as a result, we get a lot more requests for domain names than we probably should. And what happens then is that when we say no to this or that agency’s request, they very often will go and get a .co.nz or a .org.nz website instead.
And this is not very good for the government online presence as a whole. Not only does it dilute the effectiveness of having the domain in the first place, but it also leads to a proliferation of domain names held by government agencies.
The current operating model, we have a very good working relationship right now with that external vendor. So things work very smoothly as far as that’s concerned.
But the process itself is still a little cumbersome. Basically, GIS acts as an email middle man, if you will, between the agency that wants to make a change to their DNS record and the vendor that then actually makes that change. So we get an email from an agency, we parse it to some degree and negotiate that change with the vendor that makes that change. And then we go back to the agency and tell them that it’s done.
And so we basically act as an intermediary there. But there’s a lot of administrative overhead that’s not required. And so that’s something, as I’ll describe soon, that we’re hoping to change. The other part of acting as that intermediary is that we remove the responsibility over domain names from the agency that owns that domain name.
And then we sort of rest that with DIA. Because we’ve taken over as an intermediary with the vendor to make those changes. A lot of that responsibility leaves the owner of that domain name and that rests with us, which also is not ideal. Finally, the online tool that we currently use to register and manage domain names is rather old, and it lacks a lot of the basic features and functionality that we would like to see. And it also prevents us from actually implementing more current DNS related technologies.
So in 2011, there was a security assessment done on the online tool. And it identified a number of security risks and issues that we needed to address. Last year, we also did a high level overall risk assessment of the whole policy and the operations. And that, as well, identified a good range of risks that we needed to address. And I’m happy to say that at this point, we have since addressed all of those risks. So we’re in a good position right now to move forward to the next step in terms of this redevelopment.
Also last year, based on the sorts of things we were noticing, the issues we were facing as a result of the current moderation policy and the operating model, we hired a company to do a review of those. And that review incorporated interviews with 24 different stakeholders both from within government, but also outside of government, organisations outside of government that are involved in the DNS space. The consultancy performed a scan of different government jurisdictions and spoke with some different government jurisdictions to find out exactly how they manage their domain name space.
And also did a review of current DNS technologies just to see what we could be implementing if we were to upgrade our service. And based on all of those bits of research, we’re now ready to propose a new moderation policy. And it comes with a few major changes, that new moderation policy.
One is that we would very much like to make it mandatory for agencies to have to use a .govt.nz domain name, unless they have a very good reason not to. Another change is that we would like to strengthen that moderation policy with further, more comprehensive guidance clearly outlining how agencies should be thinking about the use of domain names as part of their broader web strategy, and the types of websites they have, how they’re all related, and how can you use domain names to better present that to the public.
In terms of a revised operating model, this too has some changes. While GIS wholly intends to remain moderator of .govt.nz domain names, we do, well, we will be outsourcing all the other registrar activities to a single external vendor. And this will really basically mean that instead of having to go to GIS, an agency will be able to go directly to the online tool of that registrar. And 24/7, when that agency wants to make a change, they’ll be able to do that.
The registrar, the external vendor, also that being their main task in the industry, they’ll be providing access to all the more current DNS technologies, things like IPv6 and DNSSEC. And not to bore you, but DNSSEC is really just a series of security extensions that will enable a user to know that when they go to a website at the domain, for example, ird.govt.nz, they can rest assured that they actually are at the real ird.govt.nz domain, and not some other website that looks like IRD but is actually a totally different website, a phishing scam, for example. So that sort of technology is something else we’ll be able to implement.
And finally, the online tool that the registrar provides will enable us to have a whole bunch more basic reporting and monitoring functionality that we don’t currently have. So all of these changes come with a range of benefits. For agencies, and DIA in particular, it means that we’ll be able to demonstrate some strong ICT leadership just by delivering a more current, fit for purpose service to agencies that will enable them to better use the .govt.nz domain names.
And this, of course, quite obviously in alignment with Results 9 and 10. And at same time, GIS will no longer have anything really to do with the day to day operations of registrar. And so we’ll be able to remove ourselves from all of that administrative overhead, and really focus on moderation of domain name requests.
Other agencies, of course, will just simply have really convenient access to a 24/7 domain name management service that they can get to and make those changes themselves without having to go through a middleman. Access to current DNS features, more current DNS features and technologies will also come along with that. So agencies have been asking about when they’d be able to use IPv6 for example, and that’s something that will be built right into this service.
And also, agencies will rest assured that with security extensions like DNSSEC being implemented, they can rest assured that when a user tries to go to ird.govt, for example, that the users are actually sharing their personal information with the real IRD. And again, that extends to the public. They’ll have just that greater trust that they’re dealing with the actual department on the website that they think they’re on.
And they’ll have an easier time identifying government websites, and also understanding the government domain name space if that is more consistently run, which is something that we’ll be able to do with an updated moderation policy. So right now, we are in the final steps of producing an RFP to go to market. So we hope that will happen in the next month or two. And then all these changes will be implemented before the end of the year.
And that about sums it up, I think. Thanks.