Chose your color

Frequently visited

Frequently asked questions

  • I am looking for a domain name registrant. Where can I look it up?

    The Whois is an easy-to-use tool for checking the availability of a .nl domain name. If the domain name is already taken, you can see who has registered it.

    On the page looking up a domain name you will find more information about what a domain name is, how the Whois works and how the privacy of personal data is protected. Alternatively, you can go straight to look for a domain name via the Whois.

  • I would like to transfer my domain name to another registrar. What is the procedure?

    To get your domain name transferred, you need the token (unique ID number) for your domain name. Your existing registrar has the token and is obliged to give it to you within five days, if you ask for it. The procedure for changing your registrar is described on the page transferring your domain name.

  • The details registered about me/my company are incorrect or out of date. How can I get them updated?

    To update the contact details associated with your domain name, you need to contact your registrar. Read more about updating contact details.

  • Why is my domain name in quarantine?

    When a domain name is cancelled, we aren't told the reason, so we can't tell you. You'll need to ask your registrar. The advantage of quarantine is that, if a name's cancelled by mistake, you can always get it back.

    One common reason is that the contract between you and your registrar says you've got to renew the registration every year. If you haven't set up automatic renewal and you don't renew manually, the registration will expire.

  • Ik heb een klacht over mijn provider/registrar. Kan ik daarvoor bij SIDN terecht?

    Wanneer je een klacht hebt over of een geschil met je registrar dan zijn er verschillende mogelijkheden om tot een oplossing te komen. Hierover lees je meer op pagina klacht over registrar. SIDN heeft geen formele klachtenprocedure voor het behandelen van een klacht over jouw registrar.

  • What conditions do I have to meet as a registrar?

    Would you like to be able to register domain names for customers or for your own organisation by dealing directly with SIDN? If so, you can become a .nl registrar. Read more about the conditions and how to apply for registrar status on the page becoming a registrar.

More frequently asked questions

Algorithms based on outdated SHA-1 cryptography to be removed from DNSSEC protocol

Users advised to switch to algorithm 13 if possible

Concept for digital security
  • Monday 23 September 2024

The expectation is that the last of the cryptographic algorithms [IANA table] based on the SHA-1 hash function will soon be removed from the DNSSEC protocol. The use of algorithm 5 (RSA/SHA-1) and algorithm 7 (RSASHA1-NSEC3-SHA1) has been discouraged for some time. Now, the intention is to phase out the 2 algorithms altogether.

Phase-out

Removal of the algorithms from the protocol doesn't mean that domain names signed using algorithm 5 or 7 will immediately become insecure. The reason being that resolver software suppliers will have to continue supporting the 2 algorithms as long as they remain in active use. However, they will have the option of rejecting DNS records signed using SHA-1-based algorithms as unsupported. Although the current Draft isn't explicit on the matter, we believe that the latter option has been added in anticipation of a future scenario where the use of SHA-1-based algorithms has dwindled to a negligible level. It may also be that DNS software vendors are ultimately obliged to withdraw support for the SHA-1 algorithm, for the simple reason that the cryptographic libraries underpinning their software cease to support the use of SHA-1 for digital signatures.

Nevertheless, authoritative name server operators are being told in no uncertain terms that they should stop using the 2 algorithms for signing their records. Any operators who are currently still using those algorithms will have to switch to more modern, stronger alternatives as soon as possible.

Deprecated

The SHA-1 hash function was deprecated by NIST for use in digital signatures back in 2011. Its use for DNSSEC has also been officially discouraged since the publication of RFC 8624 in June 2019. That document labelled algorithms 5 and 7 as 'NOT RECOMMENDED'. The move left algorithm 8 (RSA/SHA-256) and algorithm 13 (ECDSA Curve P-256 with SHA-256) as the only 2 algorithms that can currently be used to sign domain names (labelled 'MUST').

After the big 'chosen-prefix collision' attack on SHA-1 in 2020 [1, 2], software developer Tony Finch translated the hack into an attack on DNSSEC-signed records [1, 2, 3]. That led ICANN to urge DNS operators in general – and 250 TLD operators who were still using SHA-1-based algorithms in particular – to migrate to a stronger algorithm as a matter of urgency [1, 2]. In a later publication, Finch emphasised that a real attack using his method was unlikely in the near future, because attackers had easier options. He continues to advise migrating away from SHA-1 at the earliest opportunity, but says that the use of SHA-1-based algorithms remains acceptable for the time being [1].

Algorithm 13

Algorithms 8 and 13 both use the SHA-256 hash function – a member of the SHA-2 family. Although SHA-2 supersedes SHA-1, use of the latter for digital signatures remains acceptable for the time being.

The difference between algorithm 8 and algorithm 13 is that the latter uses ECDSA as its public key protocol, which has significant advantages in the context of DNSSEC. Although an ECDSA signature takes longer to validate, signing is much faster with ECDSA, and ECDSA-based signatures are relatively small. Signature size is important in relation to the transport of DNS responses and for preventing DDoS/amplification attacks.

We have supported the use of algorithm 13 (and algorithm 14) for signing .nl domains since 2016. Last summer, we also migrated the .nl top-level domain itself from algorithm 8 to algorithm 13.

Outdated and insecure

Statistics compiled by SIDN Labs show that more than 40 per cent of DNSSEC-enabled domain names in the .nl zone are still signed using algorithm 8. We advise the registrants/operators of the domain names in question to migrate to algorithm 13 before too long. That advice applies equally to the 0.09 per cent who are using algorithm 10 (RSA/SHA-512, a stronger variant of algorithm 8).

Click on the image to enlarge it.

Graph showing the DNSSEC algorithms used as of 20240826
https://images.ctfassets.net/yj8364fopk6s/UfHHqBQoapqMtaaGmzGvq/fb08db89265df917e7bca30c2ecdb36b/stats.sidnlabs.nl-DNSSECalgorithms-20240826.png

3,200 domain names require urgent action

In relative terms, the proportion of domain names that still rely on seriously outdated and weakened algorithms is very small. Only 0.001, 0.02 and 0.06 per cent of DNSSEC-enabled domain names are signed using algorithms 3, 5 and 7, respectively. In absolute terms, 3,200 domain names are involved. The registrants of those domain names really should switch as soon as possible to a stronger algorithm – preferably algorithm 13, of course.

We have regarded algorithms 3, 5 and 7 as outdated for quite a long time, and domain names signed using those 3 algorithms therefore no longer count in the context of our registrar incentive scheme. Since the second half of 2023, DNSSEC support has been required in order to qualify for any of our financial incentives aimed at other security standards and quality parameters. The minimum level of DNSSEC support currently required for qualification is 20 per cent of the registrar's domain name portfolio. That percentage is reviewed annually with a view to possibly increasing it. Our experience is that incentives are an effective way to drive change, so we may exclude domain names signed with algorithms 8 and 10 from registrars' DNSSEC scores at some stage in the future.

SHA-1 in DS records

Finally, a few words about the use of SHA-1 in the DS record, which links signed zones at various levels collectively to a complete cryptographic chain of trust. In that context too, migration from SHA-1 (DS algorithm 1) to SHA-256 (algorithm 2) is recommended [1].

However, where domain names in the .nl zone are concerned, registrants don't need to do anything, because we don't ask registrants to provide DS records. Instead, we ask for DNSKEY records, from which we generate DS records ourselves, and have always done so using SHA-256.