Chose your color

Frequently visited

Frequently asked questions

  • I am looking for a domain name registrant. Where can I look it up?

    The Whois is an easy-to-use tool for checking the availability of a .nl domain name. If the domain name is already taken, you can see who has registered it.

    On the page looking up a domain name you will find more information about what a domain name is, how the Whois works and how the privacy of personal data is protected. Alternatively, you can go straight to look for a domain name via the Whois.

  • I would like to transfer my domain name to another registrar. What is the procedure?

    To get your domain name transferred, you need the token (unique ID number) for your domain name. Your existing registrar has the token and is obliged to give it to you within five days, if you ask for it. The procedure for changing your registrar is described on the page transferring your domain name.

  • The details registered about me/my company are incorrect or out of date. How can I get them updated?

    To update the contact details associated with your domain name, you need to contact your registrar. Read more about updating contact details.

  • Why is my domain name in quarantine?

    When a domain name is cancelled, we aren't told the reason, so we can't tell you. You'll need to ask your registrar. The advantage of quarantine is that, if a name's cancelled by mistake, you can always get it back.

    One common reason is that the contract between you and your registrar says you've got to renew the registration every year. If you haven't set up automatic renewal and you don't renew manually, the registration will expire.

  • Ik heb een klacht over mijn provider/registrar. Kan ik daarvoor bij SIDN terecht?

    Wanneer je een klacht hebt over of een geschil met je registrar dan zijn er verschillende mogelijkheden om tot een oplossing te komen. Hierover lees je meer op pagina klacht over registrar. SIDN heeft geen formele klachtenprocedure voor het behandelen van een klacht over jouw registrar.

  • What conditions do I have to meet as a registrar?

    Would you like to be able to register domain names for customers or for your own organisation by dealing directly with SIDN? If so, you can become a .nl registrar. Read more about the conditions and how to apply for registrar status on the page becoming a registrar.

More frequently asked questions

JouwWeb enables DANE security for 60,000 mail domains

Only mail servers and the DNS system require configuration

  • Monday 10 October 2022

Early this year, website platform JouwWeb enabled DANE for all its managed domain names, thus increasing the security of mail transport to and from the domains.

Many JouwWeb customers are non-technical people who expect their service provider to look after everything 'under the hood' of their websites. Waiting until customers start asking for a new technical feature before implementing it therefore implies being too late. Because JouwWeb manages almost all its customers' domain names, DANE implementation was relatively straightforward, insofar as no external changes were required.

Securing mail transport

DANE is a cryptographic security technology designed to frustrate mail traffic snooping by requiring the use of TLS encryption wherever possible during transport (SMTP). Its effect is to protect the confidentiality of the traffic.

To enable DANE, the DNS protocol has been extended by the addition of a TLSA record. That can be used to link key information — typically a hash code (digital extract) — to an address-protocol-port combination. It is then possible to verify the authenticity of an encrypted internet service's server certificate via the DNS. DNSSEC must be supported for DANE to be enabled.

If the hash code of the server certificate doesn't match the hash code in the TLSA record, the client knows that the connection is not trustworthy, despite the encryption. Nevertheless, the presence of a TLSA record implies that the mail server does support TLS, so an otherwise relatively straightforward downgrade attack on the server's STARTTLS capability is prevented.

Postfix-based mail infrastructure

JouwWeb caters mainly for the SME sector and currently manages more than 100,000 domains for its customers. "Our proposition is that we take care of all the technical aspects, while customers manage their domain names, web and mail in a graphical environment," says Roel van Duijnhoven, JouwWeb's CTO and founder.

Implementing DANE for the 60,000 mail domains was relatively straightforward. The service provider's mail infrastructure consists of a round-robin load balancer on the MX portals. The Postfix servers (MTAs) behind the balancer process the inbound mail and deliver it to the Dovecot systems that end users access with IMAP. Outbound mail (via the SMTP gateway) is processed by the same Postfix servers. The ultimate mail relay goes via a third party, so that JouwWeb doesn't have to concern itself with IP address reputation management.

Configuration

In principle, enabling DANE validation for outbound mail on a Postfix server doesn't involve much more than changing a configuration switch (for details, see this article). "The implementation of DANE was part of an upgrade to our mail infrastructure," explains Van Duijnhoven. "Before going live, we tested the new set-up extensively in our staging environment. It has a complete clone of our mail infrastructure, so that we can check that everything works and test performance."

The other side of DANE – the publication of TLSA records to enable external SMTP clients to validate the certificates on your MX portals – involves generating and publishing the associated hashes (as described here). JouwWeb now rolls over the TLS keys on its MX servers once a year, implying that the associated TLSA records have to be rolled over annually as well. However, it's not yet certain whether that policy will be retained, Van Duijnhoven says.

SPF and DKIM

According to Van Duijnhoven, a lot more work went into his company's earlier implementation of DNSSEC – a prerequisite for using DANE, because of the need for a cryptographic chain of trust. "Having put that security in place, we wanted to make good use of it. Adopting DANE is part of that."

One thing that the DANE and DNSSEC implementations – and the earlier HTTPS implementation – have in common, is that they didn't require any customer input. That's in contrast to, for example, SPF implementation, which involves using the DNS to publish the IP addresses of all the servers authorised to send mail for each domain. Because marketing mail and the like is often sent using third-party services, enabling SFP would require customers to always keep their authorised server lists up to date, otherwise their mail could be rejected by SPF-validating MX gateways. JouwWeb does, however, allow customers to enable SPF themselves; they can create their own DNS records via their control panels.

JouwWeb also supports DKIM, another mail security protocol, under which SMTP gateways sign messages before sending them. Although validation cannot be enforced, signing does contribute to the spam score of inbound messages. "E-mail is personal and really matters to customers," Van Duijnhoven stresses. "So we don't want to take any risks with it."

Financial incentive

The rollout of DANE to JouwWeb's 60,000 mail domains is discernible in our adoption statistics as a small uptick.

Line graph showing the evolution of DANE adoption.

In July 2019, we started incentivising the use of DANE security for inbound mail, through our Registrar Scorecard scheme. Since the financial incentives came in, adoption has risen sharply [1, 2, 3], to nearly 20 per cent of all registered .nl domains. The high level of DNSSEC support in the Netherlands is of course an important enabler in that context.

Another major Dutch hosting market player that bulk-signed its domain names last year is Hostnet. By contrast, KPN dropped DANE (and various other security standards) when incorporating the XS4All infrastructure into its own.