Chose your color

Frequently visited

Frequently asked questions

  • I am looking for a domain name registrant. Where can I look it up?

    The Whois is an easy-to-use tool for checking the availability of a .nl domain name. If the domain name is already taken, you can see who has registered it.

    On the page looking up a domain name you will find more information about what a domain name is, how the Whois works and how the privacy of personal data is protected. Alternatively, you can go straight to look for a domain name via the Whois.

  • I would like to transfer my domain name to another registrar. What is the procedure?

    To get your domain name transferred, you need the token (unique ID number) for your domain name. Your existing registrar has the token and is obliged to give it to you within five days, if you ask for it. The procedure for changing your registrar is described on the page transferring your domain name.

  • The details registered about me/my company are incorrect or out of date. How can I get them updated?

    To update the contact details associated with your domain name, you need to contact your registrar. Read more about updating contact details.

  • Why is my domain name in quarantine?

    When a domain name is cancelled, we aren't told the reason, so we can't tell you. You'll need to ask your registrar. The advantage of quarantine is that, if a name's cancelled by mistake, you can always get it back.

    One common reason is that the contract between you and your registrar says you've got to renew the registration every year. If you haven't set up automatic renewal and you don't renew manually, the registration will expire.

  • Ik heb een klacht over mijn provider/registrar. Kan ik daarvoor bij SIDN terecht?

    Wanneer je een klacht hebt over of een geschil met je registrar dan zijn er verschillende mogelijkheden om tot een oplossing te komen. Hierover lees je meer op pagina klacht over registrar. SIDN heeft geen formele klachtenprocedure voor het behandelen van een klacht over jouw registrar.

  • What conditions do I have to meet as a registrar?

    Would you like to be able to register domain names for customers or for your own organisation by dealing directly with SIDN? If so, you can become a .nl registrar. Read more about the conditions and how to apply for registrar status on the page becoming a registrar.

More frequently asked questions

NIST fully retires the SHA-1 hash function

Check whether your signed domains need switching to a modern DNSSEC algorithm

Programmed code in futuristic environment
  • Friday 7 April 2023

The US National Institute of Standards and Technology (NIST) has started the process of fully retiring the SHA-1 hash function. NIST retired SHA-1 from use in digital signatures (where the hash serves as a (cryptographically and statistically) unique summary) 10 years ago. Now the hash has also been retired from all other uses, including HMAC (authentication of messages on the basis of a shared key), random number generation and password hashing.

The move away from SHA-1 is relevant for DNSSEC in 2 ways: First, the DNSSEC algorithm uses a hash function when generating digital signatures (published in the RRSIG records). Second, authentication of a signed domain name's public keys (published in the DNSKEY records) is enabled by publishing their hashes in the parent zone (as signed DS records).

Although SHA-1 should not have been used in digital signatures for some years, the latest announcement serves as a good opportunity for us to remind registrants and DNS operators about the importance of using modern algorithms.

Complete retirement of SHA-1

NIST is giving (American) users and vendors plenty of time to phase out SHA-1. They have until the end of 2030 to replace the algorithm with one of the other hash functions: SHA-2 (specified together with SHA-1 in FIPS 180-4) or SHA-3 [1, 2] (specified in FIPS 202). The latter specification also defines the SHAKE variant used in EdDSA-based DNSSEC algorithm number 16.

Although it's nearly 8 years before the 2030 deadline for transitioning away from SHA-1, NIST recommends removing it from your infrastructure as soon as possible. Before the deadline, NIST plans to publish FIPS 180-5, which will not include SHA-1.

SHA-1 and DNSSEC

Where DNSSEC is concerned, the phase-out of SHA-1 began relatively recently, even though the algorithm's purpose in this context is digital signature generation. RFC 8624 (published in June 2019) says that the use of algorithms 5 (RSASHA1) and 7 (RSASHA1-NSEC3-SHA1) for signing is 'NOT RECOMMENDED', and that the other SHA-1-based algorithms 'MUST NOT' be used).

Despite being written by a NIST staffer and published in 2013, RFC 6944 (the predecessor of RFC 8624) designated algorithm 5 'Must Implement' and algorithm 7 'Recommended to Implement'. The author did, however, give the justification that the implementation of RSASHA1 was mandatory in the context of the DNSSEC standard (as specified in RFC 4034).

SHA-1 in the .nl domain

Turning to the .nl domain, we find that only 0.15 per cent of DNSSEC-enabled domain names are signed using an SHA-1-based algorithm (usually algorithm 7: RSASHA1 with support for NSEC3).

As the same graph shows, algorithm 7 still accounted for 17 per cent of signed domain names only 2 years ago, but has since rapidly fallen out of use. In spring 2021, we began actively encouraging the phase-out of older DNSSEC algorithms (all those below number 8) and adapted our DNSSEC incentive scheme accordingly. Major DNS operators such as TransIP responded immediately by rolling over to a more modern cryptography algorithm.

Graph showing the DNSSEC algorithms used as of 20240826
https://images.ctfassets.net/yj8364fopk6s/UfHHqBQoapqMtaaGmzGvq/fb08db89265df917e7bca30c2ecdb36b/stats.sidnlabs.nl-DNSSECalgorithms-20240826.png

Switch to algorithm 13

We are now advising any registrants who still have DNSSEC-enabled domain names signed with algorithms below number 8 to switch to a more modern algorithm as soon as possible. At the moment, algorithm 13 (ECDSA Curve P-256 with SHA-256) is the best choice.

Those using algorithm number 8 (RSA/SHA-256) – which currently accounts for 43 per cent of signed domain names in the .nl zone – should also switch. While the need to act is less urgent for such registrants, the best option for them too is migration to algorithm 13.

At the time of writing, February 2023, we are still using algorithm 8 for the .nl top-level domain. However, we intend to switch to algorithm 13 later this year.

DS and CDS records

As indicated in the introduction, hashes are also used to enable authentication of a signed domain name's public keys (published in the DNSKEY records) by the parent domain (by publishing the public keys' hash values in a signed DS record).

The same advice applies in the context of hash function use for DS records as in the context of hash function use for the generation of digital signatures (published in the RRSIG records). After all, hashes in DS records have the same function as hashes in digital signatures: they serve as unique summaries (in this case of the public keys).

RFC 8624 recommends using only hash algorithm 2 (SHA-256) for DS and CDS records, and not using algorithm 1 (SHA-1). Algorithm 4, based on the somewhat stronger SHA-384 hash function, is also available, but it currently has little added value.

Note that the hash algorithm numbers just mentioned do not correspond to the DNSSEC algorithm numbers mentioned earlier.

DS records in the .nl zone

Registrants of .nl domain names no longer have a choice about which hash algorithm to use for DS/CDS records. We now ask registrars to provide us with DNSKEY records, not DS records. We then use the DNSKEY records to generate DS records (using hash algorithm 2) for publication in the .nl zone.

We nevertheless advise everyone to check whether any domain names that they may have under other TLDs still have DS records based on hash algorithm 1, and, if so, to switch to using algorithm 2 as soon as possible.