Chose your color

Frequently visited

Frequently asked questions

  • I am looking for a domain name registrant. Where can I look it up?

    The Whois is an easy-to-use tool for checking the availability of a .nl domain name. If the domain name is already taken, you can see who has registered it.

    On the page looking up a domain name you will find more information about what a domain name is, how the Whois works and how the privacy of personal data is protected. Alternatively, you can go straight to look for a domain name via the Whois.

  • I would like to transfer my domain name to another registrar. What is the procedure?

    To get your domain name transferred, you need the token (unique ID number) for your domain name. Your existing registrar has the token and is obliged to give it to you within five days, if you ask for it. The procedure for changing your registrar is described on the page transferring your domain name.

  • The details registered about me/my company are incorrect or out of date. How can I get them updated?

    To update the contact details associated with your domain name, you need to contact your registrar. Read more about updating contact details.

  • Why is my domain name in quarantine?

    When a domain name is cancelled, we aren't told the reason, so we can't tell you. You'll need to ask your registrar. The advantage of quarantine is that, if a name's cancelled by mistake, you can always get it back.

    One common reason is that the contract between you and your registrar says you've got to renew the registration every year. If you haven't set up automatic renewal and you don't renew manually, the registration will expire.

  • Ik heb een klacht over mijn provider/registrar. Kan ik daarvoor bij SIDN terecht?

    Wanneer je een klacht hebt over of een geschil met je registrar dan zijn er verschillende mogelijkheden om tot een oplossing te komen. Hierover lees je meer op pagina klacht over registrar. SIDN heeft geen formele klachtenprocedure voor het behandelen van een klacht over jouw registrar.

  • What conditions do I have to meet as a registrar?

    Would you like to be able to register domain names for customers or for your own organisation by dealing directly with SIDN? If so, you can become a .nl registrar. Read more about the conditions and how to apply for registrar status on the page becoming a registrar.

More frequently asked questions

A clear system for publishing vulnerability disclosure policies and contact info

Security.txt standardised as RFC 9116

The text 'security.txt' against a background with code visible.
  • Tuesday 29 November 2022

Publication of RFC 9116 earlier this year has provided organisations with a straightforward means of publishing their vulnerability disclosure policies and contacts details. The system involves the publication of a file called security.txt on the organisation's website, written in a specially developed text format that is readable by both machines and people.

Standardisation is intended to bring order to the existing chaos of scattered and/or outdated policy pages and disclosure channels. Instead, the security.txt file serves as a standard vehicle for communicating current policies and contact info.

Security investigators and white-hat (ethical) hackers can refer to a site's security.txt file to find out what the organisation's disclosure policy is, and who they should approach if they come across a security issue. That in turn helps the detection report recipient – a company from which documents have been stolen and offered for sale on the dark web, for example – to promptly take action to prevent or mitigate harm. If the new system is widely adopted, the availability of security information in a clear and accessible form may also be expected to encourage reporting and thus reduce the number of incidents.

Unfortunately, it is by no means unusual that someone who discovers a vulnerability is unable to find a channel for reporting it, or bring it to anyone's attention. As a result, the discoverer either doesn't bother reporting the matter, or proceeds straight to full disclosure. Hardliners tend to see that as the best way to punish careless organisations or shame them into putting their houses in order.

By contrast, responsible disclosure, now also known as Coordinated Vulnerability Disclosure (CVD), gives organisations opportunity to work with the discloser to investigate the problem, find a solution and roll it out.

As well as the company's disclosure policy and relevant contact information, the security.txt file can include details of any bug bounty programme or alternative financial compensation scheme the organisation may offer.

Portrait photo of Kim van der Veen, project leader for the Digital Trust Center at the Ministry of Economic Affairs and Climate
Kim van der Veen, project leader for the Digital Trust Center at EZK

DTC notification service

Until now, there has been no general consensus on where a disclosure policy should be published. However, the e-mail address security@example.nl has previously been proposed as a universally recognised disclosure channel. Another widely used channel is, of course, the contact information for the domain name, as recorded by the relevant registry (the organisation responsible for managing the top-level domain, e.g. SIDN for .nl).

"For us, and many others, the contact information is the most important thing," says Kim van der Veen, Project Leader at the Ministry of Economic Affairs and Climate Policy's Digital Trust Centre (DTC), which provides advice and tools to help SMEs and others to improve their security.

Last summer, the DTC added a notification service to its support package, through which individual organisations can be proactively contacted about serious system vulnerabilities or tangible threats. "As part of the service, we call companies, warn them about specific cybersecurity threats, and where possible advise them on countermeasures, such as patching software or changing system configurations."

Manual investigation

"The input for disclosures is provided to us by organisations such as the NCSC, which obtain information about targets and victims," continues Van der Veen. "In most cases, we start with nothing more than an IP address. We then use reverse DNS lookup to try to establish what the associated domain name is. Once we've got a domain name, we can go to the website in search of a disclosure channel. If we're lucky, the site provides a general contact number or e-mail address for the organisation. After that, it's just a question of hoping that our warning reaches the right person and gets followed up."

Operating that way, the DTC handled 4,600 reports last year, most provided in the form of a list of IP addresses. However, the approach does mean a lot of manual investigation in situations where rapid action is needed. The information in the security.txt file should therefore be a real boon to the DTC. "Access to the personal data in the Whois database is now controlled, and a service provider or SIDN naturally has to be cautious about sharing a registrant's contact details with us. We've now started discussions with SIDN to explore the possibility of using the Whois to send notifications in situations where no security.txt file is available. However, a lot of the contact information in the Whois is out of date or incorrect, partly because customers can't update their own details. So we really want to encourage everyone to publish at least contact information in their security.txt file."

Campaign

A few weeks ago, the DTC therefore began a campaign [1, 2] to promote the use of security.txt. The campaign involves explaining the basic steps an organisation should take, and making a dedicated information page available to IT service providers, detailing the information fields in the security.txt file.

"Our notification service has now been going just over a year," continues Van der Veen. "For us, the security.txt file has major benefits, but we didn't want to start plugging it until the formal RFC appeared. However, we did work with the NCSC to provide input and feedback during development of the RFC. We pushed for the addition of the standard to the Internet.nl test portal, and we have suggested adding it to the Forum for Standardisation's 'use-or-explain' list. That idea is currently being looked at."

Nevertheless, Van der Veen says that embracing a new RFC is a tense affair. "Government bodies are usually more reactive than proactive, but we're convinced of this standard's potential. And so are many other stakeholders and ambassadors, including SIDN."

The security.txt file format

The information in the security.txt file is structured in a very straightforward way, as a series of text lines, each consisting of a field name and a field value. For example:

Contact: mailto:security@example.nl
Contact: tel:+31-654322345

A total of 8 fields are currently defined. For details, see the RFC specification.

Comment lines can also be included, each prefixed by a hash symbol:

# Comments

Finally, the publisher can end the file with a digital signature (based on OpenPGP).

The security.txt file is published at the following location:

https://example.nl/.well-known/security.txt

For historical reasons, https://example.nl/security.txt is also supported as an alternative location. To prevent the file being tampered with in transit, it can be accessed only using HTTPS.

The RFC also provides a definition for the contents of security.txt in ABNF, a specification from which software (a parser) can be directly derived for automatic processing of the contents.

SIDN's security.txt file

Our security.txt file is available here:

https://www.sidn.nl/.well-known/security.txt

It has been written by Technical Security Officer Melvin Elderman. Notably, a lot of information has been added in the form of comments (which are not machine-readable), suggesting that various fields need adding to the security.txt file format. Elderman is unconcerned, however. "I like the concept, and the idea of publication being standardised. What I think is lacking is anything about the expertise level: security specialists are inclined to produce highly technical reports, on the basis that a vulnerability has to be reproducible. That's all very well for a large organisation with its own IT department and security budget. But you've also got to think about a small shopkeeper, whose only option is to pass reports on to their service provider, which may itself be a small business with limited expertise. But, for now, you can at least put that kind of information in your security.txt file as a comment."

Another point is that the security.txt file can be signed using OpenPGP, but here at SIDN we no longer use OpenPGP. Elderman explains: "We used to have a key pair, but people disclosing vulnerabilities didn't use it. So we switched to offering an S/MIME key for sending us encrypted messages. However, publication of the new standard has pushed us to revive OpenPGP within SOC sooner rather than later."

Your own security.txt file

As explained above, the security.txt format is so simple that it's easy to manually compile your own file. And it's even easier to generate one using this online tool:

https://securitytxt.org/

You can then check that everything's right by visiting the Internet.nl test portal:

https://www.internet.nl/

Although the contact information is the most important thing for the DTC, Elderman emphasises that the underlying process and policy need to be in order as well. "Otherwise, you're creating expectations that you can't fulfil, and you're going to disappoint people. The process doesn't need to be complicated, though. A mailbox that is actually monitored and a policy that says a discloser will get a preliminary response within a week will suffice."

The time isn't yet considered right for financial incentivisation of security.txt support, like the incentivisation of DNSSEC and IPv6 support. Nevertheless, our scans indicate that security.txt is now supported by 61,819 (1.3 per cent) of domains with active websites in the .nl zone. In a few months, SIDN Labs intends to publish a report on the development of security.txt use in the .nl zone.