Chose your color

Frequently visited

Frequently asked questions

  • I am looking for a domain name registrant. Where can I look it up?

    The Whois is an easy-to-use tool for checking the availability of a .nl domain name. If the domain name is already taken, you can see who has registered it.

    On the page looking up a domain name you will find more information about what a domain name is, how the Whois works and how the privacy of personal data is protected. Alternatively, you can go straight to look for a domain name via the Whois.

  • I would like to transfer my domain name to another registrar. What is the procedure?

    To get your domain name transferred, you need the token (unique ID number) for your domain name. Your existing registrar has the token and is obliged to give it to you within five days, if you ask for it. The procedure for changing your registrar is described on the page transferring your domain name.

  • The details registered about me/my company are incorrect or out of date. How can I get them updated?

    To update the contact details associated with your domain name, you need to contact your registrar. Read more about updating contact details.

  • Why is my domain name in quarantine?

    When a domain name is cancelled, we aren't told the reason, so we can't tell you. You'll need to ask your registrar. The advantage of quarantine is that, if a name's cancelled by mistake, you can always get it back.

    One common reason is that the contract between you and your registrar says you've got to renew the registration every year. If you haven't set up automatic renewal and you don't renew manually, the registration will expire.

  • Ik heb een klacht over mijn provider/registrar. Kan ik daarvoor bij SIDN terecht?

    Wanneer je een klacht hebt over of een geschil met je registrar dan zijn er verschillende mogelijkheden om tot een oplossing te komen. Hierover lees je meer op pagina klacht over registrar. SIDN heeft geen formele klachtenprocedure voor het behandelen van een klacht over jouw registrar.

  • What conditions do I have to meet as a registrar?

    Would you like to be able to register domain names for customers or for your own organisation by dealing directly with SIDN? If so, you can become a .nl registrar. Read more about the conditions and how to apply for registrar status on the page becoming a registrar.

More frequently asked questions

RPKI and the DNS: protection levels going up, but still lots of room for improvement

40% of all .nl domain names are protected by RPKI

Route hijacks happen on a daily basis and could seriously affect the DNS because they can cause DNS requests to end up at malicious DNS servers. In this post, we study the deployment of RPKI, a relatively new technology that protects the nternet routing system against routing hijacks. We focus on networks that host DNS services and find that 40% of all .nl domain names are protected by RPKI.

This is a guest post by Raoul Linssen for sidnlabs.nl. Raoul is a bachelor student at the University of Twente, the Netherlands, and in this blog he summarises the findings of his bachelor research. Raoul’s mentor was SIDN Labs’ Moritz Müller.

The problem

The Border Gateway Protocol (BGP) makes sure that packets sent from one end of the internet can reach their destination at the other end. Also in case a recursive resolver wants to know the IP address of a domain name such as example.nl, BGP makes sure that the resolver's query is directed to the corresponding authoritative name server. Imagine now that the query, instead of being directed to the authoritative name server for example.nl, is directed elsewhere on the internet. In that case, the query may get lost somewhere in the abyss, preventing the resolver from fetching the IP address, or the query may even be answered by a malicious actor who responds by giving the wrong IP address. In the first scenario, clients simply can't reach example.nl, but in the second scenario they might be directed to a malicious website.

The solution

That second scenario is not fanciful. Every day, networks on the internet claim that they are the legitimate destination for addresses that they don’t own, causing traffic to be misdirected. Most of the time, such routing hijacks happen by accident, but sometimes they are intentional. Domain name registrants can partially mitigate the impact of BGP hijacks by deploying the DNS Security Extensions (DNSSEC). Then, a resolver can verify whether it has really received the right IP address for example.nl, and tell applications not to connect to an address if the associated response can’t be verified. However, the use of DNSSEC does not actually prevent the IP space hijack itself. And there is the added problem that DNSSEC signing and validation have not yet been globally adopted. The Resource Public Key Infrastructure (RPKI) is intended to address that situation. With RPKI, the owner of an IP address can publish a verifiable statement, identifying the network from which they will announce their IP address range. Routers, which are responsible for transmitting packets between networks on the internet, can take the statements into account when trying to find the best path to the IP address. If an unauthorised network claims to host an IP address, routers can use the RPKI to detect that the claim is false and ignore the information provided. You can find more details in this excellent documentation.

Measuring RPKI deployment

Authoritative name servers that are reachable at IP addresses protected with RPKI are therefore potentially harder to hijack, which in turn also protects the domain names for which they are authoritative. RPKI has gained some traction in the last few years (see Figure 1), but we were especially interested to know whether the networks in which name servers are located are RPKI-protected.

Figure 1. Adoption of RPKI (green line) 2013-2020 (source: https://rpki-monitor.antd.nist.gov/).

In this article, we focus mainly on name servers that are authoritative for .nl domain names, but also on name servers responsible for other top-level-domains (TLDs), and the root name servers. In total, we analysed the name servers of eleven TLDs in our paper. First, we obtained a list of authoritative name servers from the OpenINTEL project, which gave details of the name servers' IP addresses and the number of domain names for which they were authoritative. We then used the API of the Routing Information Service (RIS), provided by RIPE NCC, to validate whether the networks in which the IP addresses were located had rolled out RPKI. We automated all the steps described and made the program publicly available. In addition to the procedure outlined above, the program features several other functions for analysing RPKI deployment.

.nl is almost halfway

We find that 47% of name servers authoritative for .nl domain names are located in networks that are protected with RPKI. That is slightly better than the average of 45%, and way better than the figure for authoritative name servers of .com domains (23%). In the DNS, domain names can have multiple name servers. Therefore, a domain name like example.nl is only fully protected if all of it name servers are located in networks that have RPKI deployed. For .nl, that is the case for 41% of domain names; 29% have at least one name server that is protected, and 30% are not protected at all.

Other TLDs and the root lag behind

The DNS is a hierarchical naming system, meaning that only protecting your name servers is not sufficient. A resolver also relies on the name servers of the TLD and the root servers when fetching the IP address of a domain like example.nl. The .nl operator (SIDN) has placed two of its three authoritative name servers for .nl in networks that support RPKI. That reflects the general tendency for country-code TLDs to use name servers in protected networks (48% of ccTLD name servers are in such networks). The average is 27% overall. Out of all TLDs, only 190 have fully protected name servers, with .de (Germany) and .ru (Russia) as leading examples. The root servers, the most crucial name servers in the DNS, have even more catching up to do. Only the K-root servers, which are run by RIPE, are fully protected. That is a concern because it enables an attacker to hijack prefixes of the root and thus redirect traffic for all domain names.

Next steps

We can see RPKI deployment is increasing, but there is still room for improvement. However, the fact that many domain names rely on the same authoritative name servers is to our advantage. In our research, we found that by deploying RPKI at only three prefixes we could boost RPKI deployment in .com by 16%, protecting 39% of the name servers. For .nl domain names, the top three unprotected prefixes are responsible for 3.7%. At the end of the research, multiple owners of larger unprotected IP spaces were contacted in an effort to persuade them to implement RPKI. One of them signed their IP space in response to our outreach. SIDN is in touch with its name server provider, asking them to deploy RPKI for the last remaining unprotected .nl name server as well.

The bigger picture

Deploying RPKI on networks is only one part of protecting the DNS from route hijacks. Routers also need to validate announcements with RPKI, and an initial study shows that there is a lot of work to be done in that regard. Also, if only a domain's name servers are protected, it is still possible to hijack the IP addresses of the underlying service. For example, www.example.nl might point to a web server, which is not located in a protected network and consequently vulnerable to BGP hijacking. We therefore recommend the deployment of RPKI in all networks, not only the ones where DNS components are located. Furthermore, RPKI is only one piece of the puzzle when it comes to secure routing policies. Mutually Agreed Norms for Routing Security (MANRS) list additional measures that network operators should take to protect their networks and the networks of others. Finally, DNSSEC still has an important role to play in domain name protection and should still be deployed.

Download the full paper.

Article by:

Raoul Linssen

Student of the University of Twente

Moritz Muller

Moritz Müller

Research engineer