Chose your color

Frequently visited

Frequently asked questions

  • I am looking for a domain name registrant. Where can I look it up?

    The Whois is an easy-to-use tool for checking the availability of a .nl domain name. If the domain name is already taken, you can see who has registered it.

    On the page looking up a domain name you will find more information about what a domain name is, how the Whois works and how the privacy of personal data is protected. Alternatively, you can go straight to look for a domain name via the Whois.

  • I would like to transfer my domain name to another registrar. What is the procedure?

    To get your domain name transferred, you need the token (unique ID number) for your domain name. Your existing registrar has the token and is obliged to give it to you within five days, if you ask for it. The procedure for changing your registrar is described on the page transferring your domain name.

  • The details registered about me/my company are incorrect or out of date. How can I get them updated?

    To update the contact details associated with your domain name, you need to contact your registrar. Read more about updating contact details.

  • Why is my domain name in quarantine?

    When a domain name is cancelled, we aren't told the reason, so we can't tell you. You'll need to ask your registrar. The advantage of quarantine is that, if a name's cancelled by mistake, you can always get it back.

    One common reason is that the contract between you and your registrar says you've got to renew the registration every year. If you haven't set up automatic renewal and you don't renew manually, the registration will expire.

  • Ik heb een klacht over mijn provider/registrar. Kan ik daarvoor bij SIDN terecht?

    Wanneer je een klacht hebt over of een geschil met je registrar dan zijn er verschillende mogelijkheden om tot een oplossing te komen. Hierover lees je meer op pagina klacht over registrar. SIDN heeft geen formele klachtenprocedure voor het behandelen van een klacht over jouw registrar.

  • What conditions do I have to meet as a registrar?

    Would you like to be able to register domain names for customers or for your own organisation by dealing directly with SIDN? If so, you can become a .nl registrar. Read more about the conditions and how to apply for registrar status on the page becoming a registrar.

More frequently asked questions

DNSSEC implementation with Infoblox, PowerDNS, BIND and Unbound

Hands-on articles help you do it yourself

  • Monday 20 January 2020

Over the last few years, we've published quite a number of 'hands-on' articles about DNSSEC signing on authoritative DNS servers and validation on (caching) resolvers. They're all available from our DNSSEC information centre.

Unbound version 1.9.6 improved following security audit DNSSEC signing and key management fully automated

The most commonly cited deterrent to DNSSEC implementation is that it's complicated. Although over time the software has significantly lightened the burden on system administrators, it remains essential to have a good grasp of both the underlying principles and the (new) configuration options. Because our hands-on articles combine background information about the DNSSEC technology with practical advice about implementing DNSSEC with various software packages, we thought it would be helpful to remind you about this valuable resource collection.

Overview

The two tables below list the available articles that deal with, respectively, signing and validation with the most popular DNS software packages. We'll update the various guides from time to time when new versions of the software come out. Following the tables is a list of the various software packages, stating the key features of each. If you are still considering which DNS(SEC) solution to use, you will hopefully find the summary useful.

DNSSEC signing on authoritative servers

Software Version Notes
Infoblox NIOS 8.2.2 OVA image running on VMware ESXi version 6.5.0
BIND named 9.11/9.12 Update for version 9.15/9.16
PowerDNS Authoritative Server 4.1.13

DNSSEC validation on caching resolvers

Software Version Notes
Unbound and DNSSEC-Trigger 1.6.6 Fixes following recent security audit included in version 1.9.5/1.9.6
Infoblox NIOS 8.2.2 OVA image running on VMware ESXi version 6.5.0
PowerDNS Recursor 4.18
BIND named 9.11

DNSSEC signing on authoritative servers

  • Infoblox appliance These ready-to-use systems are popular mainly with large commercial organisations. Signing a zone involves merely clicking a button. However, both times that we looked at this appliance (most recently in summer 2018), we were obliged to conclude that the software was seriously behind the times.

  • BIND named BIND named is the facto standard on Linux and other Unix-type systems, and therefore the most widely used DNS server. From version 9.11, key management can also be fully automated. As a result, it's no longer necessary to use custom scripts and cron jobs, or to go over to OpenDNSSEC. Following initial configuration, key pair generation, zone file signing, key rollover and key management can all be handled automatically by the software.

  • PowerDNS Authoritative Server PowerDNS is a Dutch (open-source) product whose popularity owes much to its support for DNSSEC. When support was introduced, the signing of domains on other authoritative servers was quite cumbersome. By contrast, PowerDNS adopted a flick-the-switch approach from the start. Other distinctive features include scalability and speed. Almost all major internet service providers that wanted to bulk-sign their domains did so using the Authoritative Server. Although the software's architecture is elegant, the extensive nature of the package can mean that it takes a while to become familiar with it.

DNSSEC validation on caching resolvers

  • Unbound and DNSSEC-Trigger The Unbound validating resolver is another Dutch (open-source) package. If all you need is a validating resolver, Unbound is probably a better option than BIND named, and certainly much better than the stub resolvers supplied with Linux or Windows. The software is compact and fast, and Unbound is now the standard resolver on various Linux distributions, and on FreeBSD and OpenBSD. In combination with DNSSEC-Trigger, Unbound also serves as a very straightforward solution for end-to-end validation for mobile users.

  • Infoblox appliance If you have a recent version of NIOS running, configuring DNSSEC validation on an Infoblox appliance should be very straightforward. All you need to do is check the default settings. However, we regard this option as useful only to organisations that are already using Infoblox. The reason being that both times that we looked at this appliance, we were obliged to conclude that the software was seriously behind the times, certainly where DNSSEC was concerned.

  • PowerDNS Recursor PowerDNS is a Dutch (open-source) product whose popularity owes much to its support for DNSSEC. The Recursor supports DNSSEC validation from version 4.0. Its main difference from the Unbound resolver is that the settings in the configuration file are restricted to familiar server-related matters, whereas the configuration of Unbound involves a long list of options regarding both server-related and DNSSEC/protocol-specific matters. If you want to do more with PowerDNS Recursor, you can load separate start-up/run-time scripts for the built-in Lua engine.

  • BIND named BIND named can function as an (authoritative) name server and/or as a (caching) resolver. Because the software has developed in step with DNSSEC, the validation functionality it provides depends very much on which version you have, just as the signing functionality does. If all you need is a validating resolver, Unbound is probably a better option.

This news bulletin refers to an evaluation of six widely used validating resolvers by Tore Anderson. Unbound and the Knot Resolver emerged as highly recommended. Anderson reported that the latest versions of PowerDNS Recursor and Bind named worked well too, but had no advantages over Unbound or the Knot Resolver.