[cyrnel]

Good summary! Not sure about that conclusion. I don't imagine there are roving bands of these specialized DNS network architects to whom you can magically outsource the operations.

The whole thing just strikes me as the continued under-valuing of this kind of maintenance work. It's not glamorous, you often work for a government/non-profit that pays less, on-call is brutal, and the chronic short-staffing is a pain multiplier. Not exactly the best foundation for an entire country's internet infrastructure to sit atop.

[aussiedude]

But DNSSEC in root zones isn't unique to .nz.

.au, .us, .com, .net, .gov, .io, etc all have the same challenges.

[mcesch]

Outsourcing isn't a panacea. `.au` is outsourced to Identity Digital (formerly Afilias) and they managed to flub their configuration recently too[1].

1. https://www.auda.org.au/statement/au-domain-name-system-upda...

[alfons_foobar]

TLDs, not root zones ;)

The root zone is atop the DNS hierarchy and is usually denoted by a single dot, it contains all the top-level-domains.

[throw0101c]

.ca as well:

> This DNSSEC Practice Statement (“DPS”) is a statement of security practices and provisions made by the Canadian Internet Registration Authority (CIRA). These practices and provisions are applied in conjunction with DNS Security Extensions (DNSSEC) in the Canadian country-code Top Level Domain (ccTLD), .CA.

> This DPS conforms to the template included in RFC 6841 . The approach described here is modelled closely on the corresponding procedures published in a corresponding DNSSEC Policy and Practice Statement published by .SE (The Internet Infrastructure Foundation) for the Swedish top-level domain, whose pioneering work in DNSSEC deployment is acknowledged.

* https://www.cira.ca/en/resources/documents/domains/cira-dnss...

    To provide a means for stakeholders to evaluate the strength and
    security of the DNSSEC chain of trust, an entity operating a DNSSEC-
    enabled zone may publish a DNSSEC Practice Statement (DPS),
    comprising statements describing critical security controls and
    procedures relevant for scrutinizing the trustworthiness of the
    system.  The DPS may also identify any of the DNSSEC Policies (DPs)
    it supports, explaining how it meets their requirements.

* https://datatracker.ietf.org/doc/html/rfc6841