Chose your color

Frequently visited

Frequently asked questions

  • I am looking for a domain name registrant. Where can I look it up?

    The Whois is an easy-to-use tool for checking the availability of a .nl domain name. If the domain name is already taken, you can see who has registered it.

    On the page looking up a domain name you will find more information about what a domain name is, how the Whois works and how the privacy of personal data is protected. Alternatively, you can go straight to look for a domain name via the Whois.

  • I would like to transfer my domain name to another registrar. What is the procedure?

    To get your domain name transferred, you need the token (unique ID number) for your domain name. Your existing registrar has the token and is obliged to give it to you within five days, if you ask for it. The procedure for changing your registrar is described on the page transferring your domain name.

  • The details registered about me/my company are incorrect or out of date. How can I get them updated?

    To update the contact details associated with your domain name, you need to contact your registrar. Read more about updating contact details.

  • Why is my domain name in quarantine?

    When a domain name is cancelled, we aren't told the reason, so we can't tell you. You'll need to ask your registrar. The advantage of quarantine is that, if a name's cancelled by mistake, you can always get it back.

    One common reason is that the contract between you and your registrar says you've got to renew the registration every year. If you haven't set up automatic renewal and you don't renew manually, the registration will expire.

  • Ik heb een klacht over mijn provider/registrar. Kan ik daarvoor bij SIDN terecht?

    Wanneer je een klacht hebt over of een geschil met je registrar dan zijn er verschillende mogelijkheden om tot een oplossing te komen. Hierover lees je meer op pagina klacht over registrar. SIDN heeft geen formele klachtenprocedure voor het behandelen van een klacht over jouw registrar.

  • What conditions do I have to meet as a registrar?

    Would you like to be able to register domain names for customers or for your own organisation by dealing directly with SIDN? If so, you can become a .nl registrar. Read more about the conditions and how to apply for registrar status on the page becoming a registrar.

More frequently asked questions

DNSSEC root KSK rollover restarted

Key pairs to be rolled over every 3 years in future

Concept for digital security
  • Tuesday 16 July 2024

This spring, ICANN generated a new KSK pair for the root zone, effectively restarting the rollover that originally began last year.

In the autumn, the new key pair, KSK 2024, will be copied to the second data centre. The actual switch from the existing key pair to the new pair is scheduled for 2026. From then on, the intention is that a fresh rollover cycle will start every 3 years. In the next rollover – the 2029 rollover – both the key pair and the cryptographic algorithm are to be changed.

The process of rolling over from the current KSK 2017 key pair to the new KSK 2024 actually began a year ago, when a new KSK 2023 key pair was generated. However, the vendor of the current HSM systems then announced that they were withdrawing support for the product, prompting IANA to decide against transferring the key pair to the new HSMs. It's both easier and more secure to generate a new key pair on the new equipment than to transfer the private key material from one system to another.

New trust anchor

Once the new key material has been copied to the HSM at the second site this autumn, the next step will be to publish the new public key in the root zone, alongside the existing DNSKEY record. From there, the key will soon find its way to the resolver software, which has to install it as a trust anchor.

For many resolvers, the new trust anchor will simply arrive as part of a regular software update. Most other resolvers will update their trust anchors automatically by following the RFC 5011 mechanism.

At the time of the first root key rollover, the rollover to KSK 2017, a lot of manual installation and configuration work was still needed to get the new trust anchor where it needed to be. Thorough checking was also required at each stage of the rollover process. This time around, by contrast, it's expected that validating resolver operators will simply need to follow the RFC 5011 update process.

Shorter intervals and better methods

Although the root KSK key pair was originally supposed to have a lifetime of 5 years, the very first key pair was in use for much longer before it was replaced in the first rollover. Not only did that first rollover process begin much later than scheduled, but once in progress it had to be extended by a year to allow the organisers to verify that all resolvers were in possession of the new trust anchor. If the switch to the new trust anchor had been completed while many validating resolvers were still unprepared, those resolvers' users would have been unable to reach DNSSEC-enabled addresses as soon as the old chain of trust could no longer be traced to the root.

Following the rollover now in progress, the intention is to adopt a 3-year cycle. Assuming that the now widely supported RFC 5011 mechanism performs well in the current rollover, future rollovers should become routine procedures for the great majority of resolvers.

In the rollover that should in principle take place in 2029, the plan is now to transition not only to a new key pair, but also to a new cryptographic algorithm. The current RSA/SHA-256 algorithm (algorithm 8) will be superseded by the ECDSA Curve P-256 with SHA-256 algorithm (algorithm 13). We adopted the latter algorithm for the .nl zone last summer.