Chose your color

Frequently visited

Frequently asked questions

  • I am looking for a domain name registrant. Where can I look it up?

    The Whois is an easy-to-use tool for checking the availability of a .nl domain name. If the domain name is already taken, you can see who has registered it.

    On the page looking up a domain name you will find more information about what a domain name is, how the Whois works and how the privacy of personal data is protected. Alternatively, you can go straight to look for a domain name via the Whois.

  • I would like to transfer my domain name to another registrar. What is the procedure?

    To get your domain name transferred, you need the token (unique ID number) for your domain name. Your existing registrar has the token and is obliged to give it to you within five days, if you ask for it. The procedure for changing your registrar is described on the page transferring your domain name.

  • The details registered about me/my company are incorrect or out of date. How can I get them updated?

    To update the contact details associated with your domain name, you need to contact your registrar. Read more about updating contact details.

  • Why is my domain name in quarantine?

    When a domain name is cancelled, we aren't told the reason, so we can't tell you. You'll need to ask your registrar. The advantage of quarantine is that, if a name's cancelled by mistake, you can always get it back.

    One common reason is that the contract between you and your registrar says you've got to renew the registration every year. If you haven't set up automatic renewal and you don't renew manually, the registration will expire.

  • Ik heb een klacht over mijn provider/registrar. Kan ik daarvoor bij SIDN terecht?

    Wanneer je een klacht hebt over of een geschil met je registrar dan zijn er verschillende mogelijkheden om tot een oplossing te komen. Hierover lees je meer op pagina klacht over registrar. SIDN heeft geen formele klachtenprocedure voor het behandelen van een klacht over jouw registrar.

  • What conditions do I have to meet as a registrar?

    Would you like to be able to register domain names for customers or for your own organisation by dealing directly with SIDN? If so, you can become a .nl registrar. Read more about the conditions and how to apply for registrar status on the page becoming a registrar.

More frequently asked questions

Disable advanced features of NSEC3 security technology for DNSSEC

New advice on the 'iterations' and 'salt' parameters

Digital padlock against a binary code background
  • Monday 15 November 2021

NSEC3 was added to DNSSEC to protect signed zones against malicious cataloguing by means of 'zone walking'. However, the security provided by NSEC3 has been overtaken by developments: the mechanism can now be hacked extensively, and the cryptography is not well engineered. A recommendation is therefore being prepared, which will advise no longer using NSEC3's advanced features (extra hash iterations and addition of a salt).

Update: Following the publication of RFC 9276 (BCP 236), including the recommendations referred to in this article, we changed the NSEC3 settings of the .nl zone at the end of 2022. The number of extra iterations for NSEC3 is now set to zero ('0'), and the salt is now blank ('-').

NSEC

NSEC, short for Next Secure, is part of DNSSEC (specified in RFC 4034, section 4). It provides a way of attaching digital signatures to DNS responses regarding non-existent records: what's known in the industry as 'authenticated denial of existence'. The response types that NSEC covers are NXDOMAIN responses (for non-existent domain names) and NODATA responses (for non-existent record types relating to existent domain names). It is, of course, impossible to sign all non-existent domain names, so each NSEC record specifies a range between two existent domain names. If, for example, you ask for the A record for the non-existent name gopher.example.nl, the response is an NSEC record stating that there are no domain names between ftp.example.nl and mail.example.nl. NSEC records are created and signed when you sign your zone (usually roughly doubling the size of the zone file). So, when a validating resolver requests a non-existent host name, it gets back a signed NSEC record for the interval within which the requested name falls. The resolver can therefore be sure that the name doesn't exist. It should be stressed that the mechanism described above is the basic model. As you can read in this article, operators such as Cloudflare have come up with all sorts of clever tricks for generating NSEC3 records for dynamic zones (with DNS responses generated on-the-fly using a database). The problem with NSEC is that it makes it easy to discover all the host names in a zone. By firing off a smart series of non-existent domain name lookups, you can compile a full set (linked list) of a zone's NSEC records, defining all the interval boundaries (i.e. the domain names that do exist). That is often undesirable from a security viewpoint.

NSEC3

NSEC3, defined in RFC 5155, was developed to prevent that kind of 'zone walking' or 'zone enumeration'. The basic principle is that, instead of stating actual domain names in your signed responses, you state their hashes (digitally scrambled versions of the names). A client that asks for a non-existent host name therefore gets back a signed NSEC3 record for the interval between two hashes, within which the hash of the requested host name falls. That involves the zone operator first hashing the zone's NSEC interval boundaries and then sequencing them for signing. A client that validates an NSEC3 record doesn't therefore check the domain name itself, but first generates the domain name's hash and then checks that the hash falls within the NSEC3 record's boundaries. The use of hashes prevents the straightforward compilation of a list of existing domain names. Even with hashes, however, it's possible to discover all the domain names in a zone by using a dictionary table (a table of pre-generated hashes of all common labels). To prevent that as well, a salt is added to each domain name and a number of extra steps (iterations) are added to the hash function. The relevant settings are the same for the whole zone and are recorded in the new NSEC3PARAM record. By regularly changing the salt (simply a random string), you can prevent the compilation of a reusable dictionary table for your zone. For background information about how NSEC and NSEC3 work, and about their history, see RFC 7129.

Best Current Practice

Nevertheless, some aspects of the design and use of NSEC3 are questionable. For one thing, many host names are not secret, such as www, mx1, api, etc. What's more, adding extra hash iterations doesn't make the mechanism fundamentally more secure. It simply means that both hackers and legitimate actors, such as the operators of validating resolvers serving numerous users and the administrators of large signed zones, have to deploy proportionally greater computational power. In most cases, the use of salts also seems unnecessary: hashes are generated from full domain names (FQDN), implying that dictionary tables need to be zone-specific in any case. Moreover, frequent salt rollovers represent a very minor additional challenge for a would-be hacker; in a relatively stable zone, most previously discovered labels will remain valid. With those points in mind, a Best Current Practice (BCP) document entitled 'Guidance for NSEC3 parameter settings' has been drafted. Although the document is yet to be finalised, its basic message will be that domain operators should stop using both the extra iterations and the salt.

No longer implemented

Miek Gieben is a DNSSEC expert, author, prolific DNS software developer and former Technical Advisor at SIDN. During his time in the latter role, he took a close interest in NSEC3 (being, amongst other things, co-author of RFC 7129). Miek endorses the recommendations of the new BCP document. Indeed, he is generally no fan of NSEC3 and has opted to stop implementing NSEC3 in his CoreDNS software.

Miek's main reasons for dropping NSEC3 are that it's complex and no longer provides effective protection against the problem it was developed to prevent. As long ago as 2014, for example, a group of researchers succeeded in mapping two thirds of the NSEC3-secured domains in the .com zone. Using a single graphics processing unit (GPU), it took the researchers just 4.5 days to complete the task.

Our advice: set extra iterations and salt to zero

If you are a domain name registrant or operator and you want to use NSEC3, we advise doing as the new BCP recommends and setting both the extra iterations and the salt to zero. Indeed, it's possible that the use of zero settings may at some stage be added to our DNSSEC incentive scheme. TransIP recently pre-empted the new advice by setting the iterations parameter to zero. The test algorithms used by the Internet.nl portal have also been aligned with the latest recommendations.