Chose your color

Frequently visited

Frequently asked questions

  • I am looking for a domain name registrant. Where can I look it up?

    The Whois is an easy-to-use tool for checking the availability of a .nl domain name. If the domain name is already taken, you can see who has registered it.

    On the page looking up a domain name you will find more information about what a domain name is, how the Whois works and how the privacy of personal data is protected. Alternatively, you can go straight to look for a domain name via the Whois.

  • I would like to transfer my domain name to another registrar. What is the procedure?

    To get your domain name transferred, you need the token (unique ID number) for your domain name. Your existing registrar has the token and is obliged to give it to you within five days, if you ask for it. The procedure for changing your registrar is described on the page transferring your domain name.

  • The details registered about me/my company are incorrect or out of date. How can I get them updated?

    To update the contact details associated with your domain name, you need to contact your registrar. Read more about updating contact details.

  • Why is my domain name in quarantine?

    When a domain name is cancelled, we aren't told the reason, so we can't tell you. You'll need to ask your registrar. The advantage of quarantine is that, if a name's cancelled by mistake, you can always get it back.

    One common reason is that the contract between you and your registrar says you've got to renew the registration every year. If you haven't set up automatic renewal and you don't renew manually, the registration will expire.

  • Ik heb een klacht over mijn provider/registrar. Kan ik daarvoor bij SIDN terecht?

    Wanneer je een klacht hebt over of een geschil met je registrar dan zijn er verschillende mogelijkheden om tot een oplossing te komen. Hierover lees je meer op pagina klacht over registrar. SIDN heeft geen formele klachtenprocedure voor het behandelen van een klacht over jouw registrar.

  • What conditions do I have to meet as a registrar?

    Would you like to be able to register domain names for customers or for your own organisation by dealing directly with SIDN? If so, you can become a .nl registrar. Read more about the conditions and how to apply for registrar status on the page becoming a registrar.

More frequently asked questions

ValiBox: DNSSEC validation at home

The .nl zone has more DNSSEC-signed delegations than any other top-level domain. Unfortunately, however, there are still very few validating resolvers in the Netherlands. The ValiBox is our attempt to address that problem and make DNSSEC available to home users.

Although a handful of the big players, such as Google and Comcast, now have their resolvers set up for DNSSEC validation, the number of validating resolvers remains small. In principle, anyone can connect a resolver to a home network and configure it for DNSSEC validation. But that requires DNS and networking expertise that most users simply don't have.

That's the reason for the ValiBox home router software image, based on OpenWRT. If you install a ValiBox device on your home network, it acts as a wi-fi access point with its own local NAT, which supports DNSSEC validation.

ValiBox's DNSSEC validation differs from 'ordinary' DNSSEC validation in one important respect. If a DNSSEC error is detected, the user doesn't receive the standard message saying that the address can't be found. Instead, the user is diverted to a page that explains that an error's been detected and offers the option of temporarily ignoring it. If the user chooses to ignore the error, the domain name is resolved. The approach is similar to that taken with self-signed SSL certificates, which trigger your browser to highlight the situation and ask you whether you want to give temporary approval.

Why (temporarily) ignore a DNSSEC error?

One of the reasons often given for not implementing DNSSEC validation is that problems can arise if the domain name's administrator makes a mistake. For example, if the digital signatures aren't updated in time, the zone will 'disappear' for people who check the signatures, while still being reachable for people who don't. That's because a validator can't easily tell the difference between a DNS man-in-the-middle attack and an innocent error. All the validator sees is that the signatures are invalid.Also, because DNSSEC is backwards compatible with the traditional DNS, the protocol makes no distinction between, say, a lame delegation and a DNSSEC error. Both will result in a validating resolver reporting a server failure ('SERVFAIL').SIDN is working hard to the cut of the number of DNSSEC errors in .nl. For example, we carry out active monitoring and warn registrars when problems are detected. We are currently picking up about five thousand errors a day, out of 2.6 million signed delegations.Although the number of errors is quite small, it can be annoying if a domain is unavailable due to a DNSSEC error. That is one of the reasons why service providers are reluctant to introduce validation. In this phase of DNSSEC's rollout, therefore, the ability to temporarily ignore some errors can be useful. 

How does the ValiBox work?

SIDN Valibox

Some validating resolvers allow the administrator to set Negative Trust Anchors (NTAs). NTAs effectively disable DNSSEC validation for specific zones for defined periods. The thinking behind the functionality is that a person is more likely to be able to tell the difference between an attack and a configuration error, and more able to decide whether, in a given situation, successfully resolving a domain is more important than retaining the protection provided by DNSSEC.The ValiBox makes that functionality available to users, without requiring them to get involved in resolver configuration.Internally, the ValiBox uses a standard OpenWRT image, to which we have made a few refinements. We have created a variant of Unbound, which doesn't return a standard SERVFAIL when a DNSSEC error is detected, but gives the ValiBox's own IP address. The ValiBox runs a web application set up to recognise when a validation error has been detected and give the user the option of setting an NTA. Finally, we've created a simple one-click system for updating the software.

Evaluation

A user test has been performed within SIDN. We built a prototype ValiBox, with simple versions of the software described above. Although it had some known shortcomings, we wanted to find out whether the basic concept was acceptable to users and whether the average user was able to get on with the ValiBox.

We gave twenty staff members GL-Inet devices to try out, with ValiBox software installed. The users ranged from people who knew nothing about network technology to people who were able to get straight to work on system security.The results were generally positive. Fifteen of the twenty users were able to get the system working straight away, without any further help. They were able to visit dnssec-test.sidnlabs.nl and see that the DNSSEC validation was working. Two users couldn't get the ValiBox to work. The other three were unable to find time to try out the prototype.Users did nevertheless highlight a number of shortcomings. Two users received a notification saying that the software was running in ‘permissive mode’. In that mode, DNSSEC validation takes place, but errors are disregarded. One user found that he could no longer control his audio equipment over his home network.We also received feedback highlighting issues that we were already aware of. The NTA management pages weren't properly protected, for example, and one user preferred to disable the NTA option altogether (and simply have normal DNSSEC protection). Our customised version of Unbound wasn't always able to recognise DNSSEC errors and the redirect setup didn't work properly with Safari.

All in all, the test was very useful, providing results that will enable us to take the project forward. For most users, the ValiBox worked as expected, and we believe that the identified issues can be resolved by improving the software.

What next?

First, we'll be working to resolve the main flaws discovered so far. We'll then release the ValiBox software under an open-source licence. After that, we plan to see whether we can refine the features that we've added to Unbound and pass on our work to Unbound's developers. We'll also be looking for possible alternative or additional software for DNSSEC validation and NTA management.

Our ultimate aim is that the ValiBox becomes redundant. We'd like all home routers or maybe even user systems to support DNSSEC validation. There are already a few initiatives in that direction, such as Turris and system resolved. In the meantime, we hope that the ValiBox can help to expedite the rollout of DNSSEC validation.

Keep an eye on our site for the public release of ValiBox!

Article by:

Jelte Janssen

Jelte Jansen

Research engineer