Chose your color

Frequently visited

Frequently asked questions

  • I am looking for a domain name registrant. Where can I look it up?

    The Whois is an easy-to-use tool for checking the availability of a .nl domain name. If the domain name is already taken, you can see who has registered it.

    On the page looking up a domain name you will find more information about what a domain name is, how the Whois works and how the privacy of personal data is protected. Alternatively, you can go straight to look for a domain name via the Whois.

  • I would like to transfer my domain name to another registrar. What is the procedure?

    To get your domain name transferred, you need the token (unique ID number) for your domain name. Your existing registrar has the token and is obliged to give it to you within five days, if you ask for it. The procedure for changing your registrar is described on the page transferring your domain name.

  • The details registered about me/my company are incorrect or out of date. How can I get them updated?

    To update the contact details associated with your domain name, you need to contact your registrar. Read more about updating contact details.

  • Why is my domain name in quarantine?

    When a domain name is cancelled, we aren't told the reason, so we can't tell you. You'll need to ask your registrar. The advantage of quarantine is that, if a name's cancelled by mistake, you can always get it back.

    One common reason is that the contract between you and your registrar says you've got to renew the registration every year. If you haven't set up automatic renewal and you don't renew manually, the registration will expire.

  • Ik heb een klacht over mijn provider/registrar. Kan ik daarvoor bij SIDN terecht?

    Wanneer je een klacht hebt over of een geschil met je registrar dan zijn er verschillende mogelijkheden om tot een oplossing te komen. Hierover lees je meer op pagina klacht over registrar. SIDN heeft geen formele klachtenprocedure voor het behandelen van een klacht over jouw registrar.

  • What conditions do I have to meet as a registrar?

    Would you like to be able to register domain names for customers or for your own organisation by dealing directly with SIDN? If so, you can become a .nl registrar. Read more about the conditions and how to apply for registrar status on the page becoming a registrar.

More frequently asked questions

DNSSEC validation on an Infoblox appliance

DNS operators who configure their own systems usually rely on Linux or a BSD variant in combination with BIND or PowerDNSLink opens in new tab. If BIND named's current DNSSEC functionality isn't enough for you, you can also combine named (or another authoritative name server) with OpenDNSSECLink opens in new tab, a complete solution for automated key management and signing.

AppliancesLink opens in new tab, particularly InfobloxLink opens in new tab appliances, are widely used in large commercial settings. Nearly all Dutch banksLink opens in new tab use them, for example, as do institutions such as Leiden UniversityLink opens in new tab.

If you are already using Infloblox appliances, signing your domains or enabling validation on your (caching) resolvers is in principle very straightforward. Signing involves just a couple of clicks, while validation is enabled by default. Nevertheless, it's important to check the default DNSSEC settings. The system time also has to be synchronised correctly for DNSSEC to work properly.

How to use this article

This article deals with the DNSSEC configuration for a validating resolver running on an Infoblox appliance. The configuration of an Infoblox appliance as an authoritative name server is described in a separate article.

This article has been written by reference to an OVALink opens in new tab image with Infoblox NIOS version 8.2.2, running on VMware ESXiLink opens in new tab version 6.5.0.

The main functionality and options available in each situation are discussed, so that you are able to realise a complete (and, where possible, automated) configuration. For additional details and less-used options, see the Infoblox NIOS 8.2 Administrator GuideLink opens in new tab.

Infoblox DDI appliances

The Trinzic product lineLink opens in new tab by Infoblox is a series of physical and virtual appliancesLink opens in new tab for DNS/DHCP/IPAMLink opens in new tab (DDILink opens in new tab). The system internals are based on Fedora LinuxLink opens in new tab and BINDLink opens in new tab.

This article has been written by reference to an IB-V825Link opens in new tab, a virtual machine (VMLink opens in new tab) with NIOS version 8.2.2 loaded. A virtual evaluation version of such a machine is available from the Infoblox websiteLink opens in new tab.

We strongly advise Infoblox customers with support contracts to upgrade their NIOS software to the latest version before getting to work with DNSSEC.

System time

For DNSSEC to work properly, first you need to make sure that your system time is correctly synchronised. Whereas the traditional DNS protocol used only relative timestamps (TTLsLink opens in new tab), DNSSEC makes use of absolute timestamps. That is necessary because the digital signatures (in the RRSIG records) have absolute validity periods.

Automatic appliance system time synchronisation requires configuration of the NTP serviceLink opens in new tab. The service provides a hierarchical infrastructure for synchronising system clocks (on the basis of UTCLink opens in new tab) over the internet using UDPLink opens in new tab/123. For detailed guidance on configuring Infoblox's built-in NTP server, see the hands-on article on DNSSEC signing on an Infoblox appliance (section 2).

DNSSEC settings

Once you've dealt with the time synchronisation, the next step is to check and, where necessary, adjust the default DNSSEC settings. First, make sure that the EDNS0Link opens in new tab option is enabled. EDNS0 provides an extension to the basic DNS protocol, enabling support for the larger packages and associated flags and fields required for DNSSEC.

To enable EDNS0, go to the 'Data Management' -> 'DNS' tab and select 'Grid DNS Properties' from the Toolbar. Click on 'Toggle Advanced Mode', which will result in a lot of extra tabs appearing. Then open the 'General'/'Advanced' tab. About halfway down, you'll see the option 'Disable EDNS0'. Make sure that EDNS0 is not disabled.

DNSSEC validation

The DNSSEC-specific settings are in the same window, on the 'Basic'/'DNSSEC' tab. By default, support both for DNSSEC in general ('Enable DNSSEC') and for validation in particular ('Enable DNSSEC validation') is enabled.

This setting is used to enable DNSSEC validation for the entire grid. If you want to enable (or disable) validation on a particular Grid Member (typically a caching resolver), you first need to go to the 'Data Management' -> 'DNS' -> 'Members' tab. There you select the server in question and click the 'Edit' icon. Next, in the 'Member DNS Properties' window, you select the 'DNSSEC'/'Basic' tab, where you can overrule the grid-wide settings.

Expired signatures and negative trust anchors

On the same screen, you'll see the option 'Accept expired signatures'. This option should be enabled only in exceptional circumstances, e.g. if your resolver is blocking certain DNS records because the relevant domain's administrator has forgotten to renew the signatures. That usually implies that something has 'gone down', since renewal of the RRSIG records is a high-frequency procedure and therefore automated in most cases. Under such circumstances, you may configure the validating resolver to temporarily accept expired signatures until the problem has been resolved.

Whereas the 'Accept expired signatures' option is used to (temporarily) allow all expired signatures, the 'Negative Trust Anchors' functionality enables you to whitelist particular zones (on a longer-term basis, if necessary). Under 'Negative Trust Anchors', you would typically list zones that have DNSSEC problems — e.g. configuration problems — but that people in your organisation need to access, for an on-line (cloud) application, for example. Zones listed under 'Negative Trust Anchors' are not validated at all.

Trust anchors

Under 'Trust Anchors', you list the domains (and associated public keys) that you trust absolutely. Before the root zone was signed, trust anchor listing was used to explicitly register DNSSEC-enabled top-level domains (TLDs) on validating resolvers. However, now that the root zone and most subordinate TLDs are DNSSEC-enabledLink opens in new tab, it is no longer necessary to anchor such 'islands of trust'. Because the Infoblox appliance doesn't support the RFC 5011 protocolLink opens in new tab, validating resolver operators will need to check that the new public root KSK has indeed been installed and activated on their systems as a trust anchor. If it hasn't, a manual (out-of-band) procedureLink opens in new tab will need to be followed.

Manual installation of KSK-2017

The first step in manual installation of the new trust anchor is to get the public KSKs from IANA's websiteLink opens in new tab. However, before installing the new public key on your resolver as a trust anchor, it's important to verify its authenticity. See the 'Manual installation' section of the article 'Trust anchor installation for new root KSKLink opens in new tab' for details of how to securely fetch and verify the current root keys.

Once you have fetched and verified the new KSK-2017 (key ID 20326), you can add it to your Infoblox grid as an extra trust anchor. To do that, go to the 'Data Management' -> 'DNS' tab and select 'Grid DNS Properties' from the Toolbar. The KSK-2017 can then be added at the bottom of the 'DNSSEC'/'Basic' tab. Strictly speaking, what you are dealing with is merely the hashLink opens in new tab of the public key (similar to the information in a DS record). It is therefore important to use the correct cryptographic settings: KSK-2017 is published as a type-2 (SHA-256) message digest (hash)Link opens in new tab of a public key based on DNSSEC algorithmLink opens in new tab number 8 (RSA/SHA-256).

If the current public root KSK is not yet installed on your system, we strongly advise installing the KSK-2017 trust anchor when you next configure your appliance(s). Infoblox Nederland previously announcedLink opens in new tab that users were being actively informed about installation.

In conclusion

If you have the latest version of NIOS running, configuring DNSSEC validation on an Infoblox appliance should be very straightforward. All you need to do is check the default settings. We therefore strongly recommend upgrading to the latest version before getting to work with DNSSEC. For customers with support contracts, upgrading is free. However, for DNSSEC to work properly, you need to make sure that your system time is correctly synchronised. It is therefore important to begin by configuring the NTP service.

Because the Infoblox software doesn't support the RFC 5011 protocol, the new root KSK-2017 will need to be installed manually as a trust anchor if it isn't yet available on your system. The shortcoming highlighted above can't be disregarded in this context, since we are dealing with a DNS appliance. Such appliancesLink opens in new tab need to be capable of rapid deployment with as little configuration input as possible. Infoblox is a big player on this market, and numerous influential organisations depend on their product.

What's more, the slowest DNSSEC-adoptersLink opens in new tab — mainly the banks and other large organisationsLink opens in new tab — are quite often Infoblox users. Tardy DNSSEC implementation will not help them to make good their deficit.