Chose your color

Frequently visited

Frequently asked questions

  • I am looking for a domain name registrant. Where can I look it up?

    The Whois is an easy-to-use tool for checking the availability of a .nl domain name. If the domain name is already taken, you can see who has registered it.

    On the page looking up a domain name you will find more information about what a domain name is, how the Whois works and how the privacy of personal data is protected. Alternatively, you can go straight to look for a domain name via the Whois.

  • I would like to transfer my domain name to another registrar. What is the procedure?

    To get your domain name transferred, you need the token (unique ID number) for your domain name. Your existing registrar has the token and is obliged to give it to you within five days, if you ask for it. The procedure for changing your registrar is described on the page transferring your domain name.

  • The details registered about me/my company are incorrect or out of date. How can I get them updated?

    To update the contact details associated with your domain name, you need to contact your registrar. Read more about updating contact details.

  • Why is my domain name in quarantine?

    When a domain name is cancelled, we aren't told the reason, so we can't tell you. You'll need to ask your registrar. The advantage of quarantine is that, if a name's cancelled by mistake, you can always get it back.

    One common reason is that the contract between you and your registrar says you've got to renew the registration every year. If you haven't set up automatic renewal and you don't renew manually, the registration will expire.

  • Ik heb een klacht over mijn provider/registrar. Kan ik daarvoor bij SIDN terecht?

    Wanneer je een klacht hebt over of een geschil met je registrar dan zijn er verschillende mogelijkheden om tot een oplossing te komen. Hierover lees je meer op pagina klacht over registrar. SIDN heeft geen formele klachtenprocedure voor het behandelen van een klacht over jouw registrar.

  • What conditions do I have to meet as a registrar?

    Would you like to be able to register domain names for customers or for your own organisation by dealing directly with SIDN? If so, you can become a .nl registrar. Read more about the conditions and how to apply for registrar status on the page becoming a registrar.

More frequently asked questions

New opportunity for DANE for web

RFC 9102 published, first implementations in progress

Concept of a secure digital chain
  • Tuesday 10 May 2022

Publication of RFC 9102Link opens in new tab in August 2021 opened the way for the complete chain of DNS(SEC) records required for DANE validation to be included in the TLSLink opens in new tab exchange itself (in-bandLink opens in new tab). Consequently, when setting up a secure connection (e.g. HTTPSLink opens in new tab), no extra DNS queries are required in order to check the authenticity of the presented TLS server certificateLink opens in new tab using DANE.

The advantage of the new approach is clear: it means that a TLS connection can be established more quickly than if all the necessary records (or, more precisely, resource record sets) have to be requested separately (out-of-band). That applies not only to general TLS connections, but also to DoHLink opens in new tab and DoTLink opens in new tab, for which fewer connections therefore need to be initiated.

Because some middleboxesLink opens in new tab and access routers won't forward DNSSEC records, they can't always be obtained via the DNS system. Complete in-band DANE/DNSSEC chains represent a solution in those situations as well.

It should be noted, however, that the new technology is currently still experimental. NLnet Labs is working on an extension that will enable their validating stub resolver StubbyLink opens in new tab to perform in-band DANE validation on its DoH/DoT connections. A little further ahead is a DoH plugin for ApacheLink opens in new tab and NginxLink opens in new tab, which will provide them with support for the new technology.

DANE and DNSSEC

Although the DANELink opens in new tab security standard is more than ten years old, it has only recently started to break through. Even now, only about half of mail domains use it. The standard is defined for general use (in RFC 6698Link opens in new tab, 7218Link opens in new tab and 7671Link opens in new tab): TLS server certificates (based on X.509Link opens in new tab) are anchored by publishing the hashLink opens in new tab of each certificate in a TLSA record. Because DANE requires the use of DNSSEC, the authenticityLink opens in new tab of a certificate is cryptographically assured by anchorage to the DNSSEC trust anchorLink opens in new tab via the chain of trust.

As well as the hash value itself, TLSA has a 'Usage' field, which determines how the hash should be interpreted:

  • 0) PKIX-TA: anchors a particular CA certificate in the TLS chain of trust (in addition to traditional validation)

  • 1) PKIX-EE: anchors a particular server certificate (in addition to traditional validation)

  • 2) DANE-TA: anchors a particular CA certificate in the TLS chain of trust, enabling it to function as a trust anchor

  • 3) DANE-EE: anchors a particular server certificate, which has to match the certificate provided by the server

DANE for web and DANE for mail

Usages 0 and 1 anchor the certificateLink opens in new tab of, respectively, a CA and a server, to supplement conventional validation on the basis of trust anchors provided in the client (typically a browser). Hence, the first two options are described as 'restrictive' (they add another security constraint to the existing system). Usages 2 and 3 operate independently from conventional TLS validation, meaning that they are (additionally) suitable for self-signed certificatesLink opens in new tab. They also enable clients without trust anchors to be served. Those two options are therefore described as 'additive' (they provide an option not offered by the existing system).

One protocol under which clients do not have trust anchors is SMTPLink opens in new tab, for the transport of e-mail messages. RFC 7672Link opens in new tab specifies how DANE can be used for mail exchange between MTAsLink opens in new tab. Because mail servers do not have trust anchors, only usages 2 and 3 are permissible in this context. Furthermore, DANE for mail is an opportunistic protocol: a TLSA record authenticates a particular server certificate for a client, implying support for STARTTLS, but does not require the client to use TLS for message transfer.

In practice, DANE for web is currently barely used [1, 2], while DANE for mail [1, 2] is quickly gaining traction (or was).

A long history

The history of the TLS extensionLink opens in new tab to the DNSSEC chain of trust for DANE – the 'chain extension' – goes right back to the development of DANE itselfLink opens in new tab more than ten years ago. The first implementation of a DANE-like chain extension for ChromeLink opens in new tab (by Adam LangleyLink opens in new tab) disappeared from the browser within two years because it proved unsuitable and was consequently not used. In Langley's proof-of-conceptLink opens in new tab, the DNS(SEC) chain was included in an extension to the certificate itself (a 'DNSSEC stapled certificate'). TLSA records didn't exist at that time, so a TXT record was used.

However, the approach proved unpopular with CAs, because it implied including a new block in every signature. It also meant that the certificate had to be renewed whenever the DNSSEC signatures were renewed. Use of Langley's system would therefore have involved various undesirable and impractical dependencies between the PKI/CA system and DNSSEC.

A new approach

The period 2015 to 2018 saw development of the current specification's predecessorLink opens in new tab. The new solution involved the addition of an option to the TLS protocol, enabling the client to request the relevant DANE/DNS(SEC) chain. In this model, the server functioned as an intermediary: it requested the required records locally and sent them to the client in serialisedLink opens in new tab form via the existing connection, thus utilising the resolver functionality and caching capability already present. A further advantage was that the client got end-to-end validation (at the application level), even if it only had a (non-DNSSEC-validating) stub resolver.

A crucial difference between the new solution and the previous one was that DANE was no longer dependent on the CAs. Both the TLS community and the browser builders were enthusiastic about the new approach. The DNS Security article series written by Richard BarnesLink opens in new tab, then working for Mozilla, is available hereLink opens in new tab.

Disagreement

Although Mozilla already had an implementation ready for its Firefox browser, the proposed new approach didn't catch on. For one thing, it supported only the additive DANE usages, and the chain extension was restricted to the communication of DANE/DNS(SEC) records. In addition, Victor DukhovniLink opens in new tab, now best known for his DANE adoption measurementsLink opens in new tab, pointed out that the approach was vulnerable to a downgrade attackLink opens in new tab by a man-in-the-middle (MITMLink opens in new tab). If you rely on an alternative channel without checking the DNS system itself, and the alternative channel reports that no DNSSEC records are present, you cannot be certain whether that is really the case.

However, the two objections are related, and have been used as cover for protecting the commercial interests of the CAs: as long as the available DANE functionality cannot completely replace the PKI/CA system, there will be no support for additive DANE.

Dukhovni argued that the proposed system had a serious security flaw, and that certificate pinning should therefore be supported as well. However, as well as taking exception to Dukhovni's tone, the web community has had some negative experiences of pinning (e.g. HPKPLink opens in new tab, the predecessor of HSTSLink opens in new tab). Consequently, after a year of discussion, both the TLS Working GroupLink opens in new tab and Barnes withdrew.

New opportunity

Now joined by Dukhovni and security software engineer Paul WoutersLink opens in new tab, the group developed the chain extension proposal into the Independent Submission StreamLink opens in new tab. With pinning now added by Dukhovni, the experimentalLink opens in new tab specification is now ready for implementation.

Although end users have little interest in DNSSEC, Willem TooropLink opens in new tab (developer and researcher at NLnet Labs and co-author of the RFC) is hopeful about adoption of the chain extension. "We shouldn't try to add this security to long-established TLS applications, such as IMAPSLink opens in new tab and POPSLink opens in new tab (in the mail client). New technologies such as DoH and DoT represent much better opportunities. A lot is currently happening with DoH in web browsers."

"For example, a method for encrypting TLS from the very start is under development, known as Encrypted Client Hello (ECHLink opens in new tab). That's significant, because the TLS handshake isn't currently encrypted, meaning that the service to which a connection is established isn't secureLink opens in new tab. With ECH, the public element of the key pair used to encrypt the handshake will be included in a special DNS record: the SVCB or HTTPS record. The idea is that the records will be available to browsers via their inbuilt DoH. In order to assure the authenticity of the records (and thus the security of the TLS handshake), you need DNSSEC."

"So DNSSEC keeps cropping up in these new, emerging standards (see this exampleLink opens in new tab). And, as browser-builders make more use of DNS in their software, the opportunities for DNSSEC and DANE increase."

Related articles