Chose your color

Frequently visited

Frequently asked questions

  • I am looking for a domain name registrant. Where can I look it up?

    The Whois is an easy-to-use tool for checking the availability of a .nl domain name. If the domain name is already taken, you can see who has registered it.

    On the page looking up a domain name you will find more information about what a domain name is, how the Whois works and how the privacy of personal data is protected. Alternatively, you can go straight to look for a domain name via the Whois.

  • I would like to transfer my domain name to another registrar. What is the procedure?

    To get your domain name transferred, you need the token (unique ID number) for your domain name. Your existing registrar has the token and is obliged to give it to you within five days, if you ask for it. The procedure for changing your registrar is described on the page transferring your domain name.

  • The details registered about me/my company are incorrect or out of date. How can I get them updated?

    To update the contact details associated with your domain name, you need to contact your registrar. Read more about updating contact details.

  • Why is my domain name in quarantine?

    When a domain name is cancelled, we aren't told the reason, so we can't tell you. You'll need to ask your registrar. The advantage of quarantine is that, if a name's cancelled by mistake, you can always get it back.

    One common reason is that the contract between you and your registrar says you've got to renew the registration every year. If you haven't set up automatic renewal and you don't renew manually, the registration will expire.

  • Ik heb een klacht over mijn provider/registrar. Kan ik daarvoor bij SIDN terecht?

    Wanneer je een klacht hebt over of een geschil met je registrar dan zijn er verschillende mogelijkheden om tot een oplossing te komen. Hierover lees je meer op pagina klacht over registrar. SIDN heeft geen formele klachtenprocedure voor het behandelen van een klacht over jouw registrar.

  • What conditions do I have to meet as a registrar?

    Would you like to be able to register domain names for customers or for your own organisation by dealing directly with SIDN? If so, you can become a .nl registrar. Read more about the conditions and how to apply for registrar status on the page becoming a registrar.

More frequently asked questions

XXL detection of DNSSEC validation errors

In the period beginning August 2012, a very large number of .nl domain names were secured with DNSSEC in a relatively short space of time. The associated risk of validation errors was an issue that commanded a lot of attention.

No one wanted a repetition of what had happened with the .gov domain. In 2008, the US government had decided that all .gov domains had to be secured with DNSSEC. Perhaps because it wasn't voluntary, the rollout of DNSSEC across .gov involved a significant number of errors. And one of the most frustrating things about DNSSEC errors is that they affect only those that take the trouble to enable validation, while those that are less proactive on security don't have a problem. In other words, errors tend to discourage the adoption of DNSSEC, or at least DNSSEC validation.

The DNSSEC validation monitor

One of the error detection tools that we have been using at SIDN since April 2013 is the DNSSEC Validation Monitor. The Validation Monitor was developed at SIDN Labs and picks up .nl domain names that have failed validation checks by a number of ISPs engaged in DNSSEC validation. It has provided us with valuable feedback about the actual prevalence and types of DNSSEC errors. Via the Validation Monitor, we share information about non-validating domain names with the relevant registrars, enabling them to take corrective action. The system has highlighted software bugs, configuration errors and procedural flaws. Sampling of the thirty thousand domain names that we tested has revealed a fall in the number of errors. Whereas 0.48 per cent of DNSSEC-protected domain names exhibited errors in the latter part of 2012, by early 2014 (about eighteen months later) the figure was down to 0.21 per cent.

Nevertheless, there were a number of points that we wanted to improve, such as the 'granularity' of the Validation Monitor. The reason being that by no means all errors in the configuration of DNSSEC-protected .nl domain names were being detected. That meant that we couldn't entirely trust the picture we were getting of DNSSEC quality in the .nl zone. One of the causes was that the Validation Monitor was reactive: it reported an error only if one of the affiliated ISPs' clients actually tried to look up the relevant domain name in the DNS.

Validation Monitor XXL: testing all .nl domain names every day

Collaboration with validating ISPs yielded valuable information about the ways errors occur. In some cases, the issues went further than we initially suspected. It became apparent, for example, that a lot of denial-of-existence errors were occurring, even though simultaneous queries about actual resources in the same zone were being fielded without a problem.

Building on the experience gained, the SIDN Labs team has therefore developed a new version of the Validation Monitor. The Validation Monitor XXL, as it is known, features three important improvements:

  1. It automatically and continuously tests all the 2.4 million-plus signed .nl domain names for DNSSEC errors.

  2. Testing is performed every day, meaning that registrars are quickly alerted to any domain name that can't be validated, even if no one has tried to reach the domain in question.

  3. Testing goes down to third-level domain names and beyond.

Findings

The Validation Monitor XXL has now been in use since April of this year. It works well and has received a positive reception from our registrars. It's also apparent to us that introduction of the XXL version has encouraged registrars to refocus on DNSSEC errors and their correction. That may be because the Validation Monitor XXL flags up more errors than the old version and alerts more registrars.

Figure 1 shows that the number of registrars with validation errors has fallen by more than 28 per cent since the Validation Monitor XXL entered use. The peak around April 2015 is due to the XXL version scanning the entire .nl zone and therefore detecting more validation errors than the old version.

In the latter part of 2012, 0.48 per cent of signed .nl domain names had DNSSEC errors. By early 2014, that figure was down 0.21 per cent. Together with our registrars, we have since been able to cut it to an average of 0.12 per cent (see Figure 2).

DS record, but no DNSKEY

The most common error is still the presence of a DS record in the .nl zone, when the domain name in question doesn't have (or no longer has) any DNSKEY records. That situation typically arises when a domain name is transferred to a registrar that doesn't support DNSSEC and neither of the two registrars involved in the transfer removes the old DS record from the zone. Two thirds of all DNSSEC errors follow that pattern. Our registration system enables registrars to avoid such errors by opting not to receive key material with incoming transfers. The option is activated with a simple tick box but, despite considerable publicity, not all registrars are aware of it.

Fortunately, progress is being made in many areas. We now hardly ever see outdated RRSIGs, for example. The current average is only about thirty, out of more than 2.4 million signed domain names.

The other errors are quite sporadic and sometimes exotic. For instance, three domain names have RRSIG inception dates in the future and a handful of domain names have rare 'crypto' errors. One sometimes wonders how such errors can occur, since any system administrator should be able to observe and resolve them.

Most of the other third of the errors we see involve denial-of-existence issues. Such errors are 'vague', in the sense that they aren't readily apparent when using tools such as DNSviz. Even Google Public DNS usually validates the names with AD bits. It can therefore be difficult to persuade a registrar that anything is actually wrong.

Integration with the Registrar Scorecard

We have firm plans to integrate the Validation Monitor XXL with the recently launched Registrar Scorecard. The RS is an SIDN incentive programme, through which registrars can qualify for performance-related rewards. The scheme recognises various performance parameters, such as having a domain name portfolio with a high validation grade. The RS therefore follows on from our DNSSEC incentive programme. Unlike that programme, however, the RS distinguishes between correctly and incorrectly signed domain names.

Conclusion: disincentives for validation (virtually) removed

Although we haven't yet secured our goal of eliminating all errors, the current error level and the downward trend indicate that the Validation Monitor and its XXL successor have proved their worth and that the DNSSEC quality of the .nl zone is highly satisfactory. By way of comparison: a scan of the .com zone in late July 2015 revealed that 7,997 of the 488,800 signed domain names exhibited errors, including 3,996 denial-of-existence errors. That is 1.63 per cent, or thirteen times the proportion in the .nl zone. What’s more, Dutch registrars account for a significant proportion of signed .com domain names and their error-alertness is probably heightened by the information they receive about errors in their .nl portfolio.

Of course, the registrars that provide DNSSEC services deserve much of the credit for the DNSSEC quality of the .nl zone. Our findings show not only that most .nl registrars are very competent, but also that they respond promptly and appropriately to errors flagged up by the Validation Monitor. We believe that that encourages even more registrars to start signing their domain names.

Our main hope is that, together with our registrars, we have greatly reduced the disincentives for DNSSEC validation, and that more ISPs will start offering validation services to their customers.

Article by:

Marco Davids

Marco Davids

Research engineer