During the course of tomorrow (Tuesday) morning we will be making some significant changes to the AC.ZA domain. These changes are not expected to be service affecting for correctly configured sub-domains.

What follows is mostly information for those who wish to understand the details of the change.

Registry & nameserver changes

As announced in May, we have outsourced the technical operations of the AC.ZA DNS registry to Domain Name Services Pty (Ltd) (DNSPL). Over the last month or so we’ve worked to ensure that the new registry provided by DNS accurately mirrors the information in the old registry, and that the resulting DNS zones are semantically identical. This included an extensive audit of the existing registry, during which some erroneous delegations were discovered and corrected.

Tomorrow we will take the old TENET-operated registry out of production and replace it with the new DNSPL-operated registry. During the transition, disa.tenet.ac.za will not answer DNS queries for some time. However, DNS is designed with this in mind and the other secondaries will handle queries while disa is reconfigured. Once it is complete, the change will be visible in the SOA record for AC.ZA, which will begin to reflect zone-ds.registry.net.za in the mname field rather than disa.tenet.ac.za.

We will also introduce three new nameservers (including some additional anycast ones) and take two of the existing name servers out of production. This change requires re-delegation of AC.ZA by the za Domain Name Authority (zaDNA), and will take place in stages. It may take a couple of days for the re-delegation and full set of nameserver changes to be completed. However, they’re carefully planned to avoid any nameserver serving out-of-date information during the transition.

WHOIS changes

As part of the registry changes, we have updated the WHOIS interface for AC.ZA to meet ICANN best practices. The old web interface at https://whois.ac.za/ will be redirected to https://www.ac.za/whois, which already allows you to query the underlying WHOIS service in the new registry. Port 43 and RDAP services will become available within the next couple of weeks.

You’ll note that the output of the new WHOIS is heavily redacted, in accordance with ICANN’s current practice statement (which is informed by the GDPR). We’ve requested that some of these fields (most notably, those relating to the Registrant) be un-redacted and expect this to happen within a few days. However, in order to comply with our own privacy legislation, we will continue to redact all personal information except contact’s names.

Domain Name System Security Extensions (DNSSEC)

The new zone hosted by DNSPL is DNSSEC-signed, and you can expect to see DNSKEY and RRSIG records within AC.ZA from tomorrow. As a trial of DNSSEC, we have already signed the eduroam.ac.za domain and trust anchors for it exist in the version of the AC.ZA zone that will go into production tomorrow. You should be able to see the new DNSSEC delegations at http://dnsviz.net/d/eduroam.ac.za/dnssec/.

If any other AC.ZA registrant would like to publish trust anchors within AC.ZA, please let hostmaster@ know.

Properly signing the AC.ZA zone still requires that we add trust anchors into the ZA domain so that the full chain of trust is established. We will not be requesting zaDNA add the trust anchors yet, as we have not yet completed all of the preparation work required for this. Once we have, we will publish a DNSSEC Policy & Practice Statement at https://www.ac.za/dnssec and ask zaDNA to make the necessary changes to properly secure the zone.