Chose your color

Frequently visited

Frequently asked questions

  • I am looking for a domain name registrant. Where can I look it up?

    The Whois is an easy-to-use tool for checking the availability of a .nl domain name. If the domain name is already taken, you can see who has registered it.

    On the page looking up a domain name you will find more information about what a domain name is, how the Whois works and how the privacy of personal data is protected. Alternatively, you can go straight to look for a domain name via the Whois.

  • I would like to transfer my domain name to another registrar. What is the procedure?

    To get your domain name transferred, you need the token (unique ID number) for your domain name. Your existing registrar has the token and is obliged to give it to you within five days, if you ask for it. The procedure for changing your registrar is described on the page transferring your domain name.

  • The details registered about me/my company are incorrect or out of date. How can I get them updated?

    To update the contact details associated with your domain name, you need to contact your registrar. Read more about updating contact details.

  • Why is my domain name in quarantine?

    When a domain name is cancelled, we aren't told the reason, so we can't tell you. You'll need to ask your registrar. The advantage of quarantine is that, if a name's cancelled by mistake, you can always get it back.

    One common reason is that the contract between you and your registrar says you've got to renew the registration every year. If you haven't set up automatic renewal and you don't renew manually, the registration will expire.

  • Ik heb een klacht over mijn provider/registrar. Kan ik daarvoor bij SIDN terecht?

    Wanneer je een klacht hebt over of een geschil met je registrar dan zijn er verschillende mogelijkheden om tot een oplossing te komen. Hierover lees je meer op pagina klacht over registrar. SIDN heeft geen formele klachtenprocedure voor het behandelen van een klacht over jouw registrar.

  • What conditions do I have to meet as a registrar?

    Would you like to be able to register domain names for customers or for your own organisation by dealing directly with SIDN? If so, you can become a .nl registrar. Read more about the conditions and how to apply for registrar status on the page becoming a registrar.

More frequently asked questions

New KSK-2024 trust anchor published on IANA website

Validating resolver operators advised to check in spring 2025 that trust anchor has been installed

Visualization of a digital key
  • Thursday 14 November 2024

At the start of November, IANA published the new KSK-2024 trust anchor. It will initially be used mainly by software developers and packagers to update their validating resolvers.

On 11 January 2025, the new public key will also be added to the root zone. Most systems that haven't already received the new trust anchor by means of software or distribution updates will then automatically import it using the RFC 5011 mechanism.

Validating resolver operators don't need to do anything yet, but should check their systems in about 4 months' time to make sure that the KSK-2024 trust anchor has indeed been successfully installed. The new trust anchor won't have to be used by resolvers until 2026. However, operators must be ready for the switch, or all queries about signed domain names will be blocked.

Under the DNSSEC security protocol, digital signatures are used to assure the authenticity and integrity of DNS information cryptographically. A validating resolver can check a DNS record's signature by following the chain of trust (a cascade of signatures linked to public keys) all the way back to the root. There, the chain of trust ends with the public key of the root KSK pair, which is stored on all validating resolvers as a trust anchor.

AOC-ChainOfTrust0-www.example.nl

Root KSK rollovers

Once every few years, the root KSK pair is 'rolled over' (i.e. replaced by a new pair). Until now, the sole reason for performing a periodic rollover has been to ensure the continuity of security. However, the rollover will soon serve an additional purpose, namely to update the cryptographic algorithm. The very first key pair, KSK-2010, was replaced 5 years ago by KSK-2017 [1]. In the next 2 years, KSK-2017 will in turn make way for a new key pair. Following the rollover now in progress, the intention is to adopt a 3-year cycle.

In the next rollover – the 2029 rollover – both the key pair and the cryptographic algorithm are to be changed. Our own Moritz Müller, Research Engineer at SIDN Labs, is a member of the Root Zone Algorithm Rollover Study Design Team that is developing the plans for the migration process. The team published its first study in summer 2024.

The first root KSK pair rollover, to KSK-2017, started much later than was originally envisaged. Once in progress, the rollover process had to be paused for a year to allow the organisers to verify that all resolvers were in possession of the new trust anchor before the old key pair could be withdrawn. At that time, a lot of manual installation and configuration work was still needed to get the new trust anchor where it needed to be. A further complication was that very few resolvers then supported RFC 8145 and 8509, protocols that allow technicians to check how many resolvers have installed the new trust anchor. [1]

For the latest rollover, by contrast, it's expected that validating resolver operators will simply need to follow the RFC 5011 update process.

New KSK-2024 trust anchor

After a false start in 2023, the new KSK pair for the root zone was generated in early 2024. In the summer, it was copied to the second data centre, and has now been published on the IANA website. KSK-2024's public key (with key tag 38696) is as follows:

. 172800 IN DNSKEY 257 3 8
AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/c
idltpkyGwCJNnOAlFNKF2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHb
GiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdpWWmEnhathWu1jo+s
iFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqp
dVwuMoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ
1K+s2CXkPIZo7s6JgZyvaBevYtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUe
ayffKC73PYc=

Checking installation

On 11 January 2025, the new public key will also be added to the root zone as a DNSKEY record. Most systems that haven't already received the new trust anchor by means of software or distribution updates will then automatically import it using the RFC 5011 mechanism.

The new KSK-2024 key pair won't actually be used to sign the root zone until about 2 years from now, on 11 October 2026. However, it's important to be aware that any resolver that doesn't have the new trust anchor installed by that date will block all queries relating to signed domain names. If the rollover proceeds to plan, the old KSK-2017 key pair will be declared invalid on 11 January 2027.

On this website, we'll keep you updated regarding the KSK-2024 rollover process and let you know when you can check that your validating resolver has installed the new trust anchor.