Chose your color

Frequently visited

Frequently asked questions

  • I am looking for a domain name registrant. Where can I look it up?

    The Whois is an easy-to-use tool for checking the availability of a .nl domain name. If the domain name is already taken, you can see who has registered it.

    On the page looking up a domain name you will find more information about what a domain name is, how the Whois works and how the privacy of personal data is protected. Alternatively, you can go straight to look for a domain name via the Whois.

  • I would like to transfer my domain name to another registrar. What is the procedure?

    To get your domain name transferred, you need the token (unique ID number) for your domain name. Your existing registrar has the token and is obliged to give it to you within five days, if you ask for it. The procedure for changing your registrar is described on the page transferring your domain name.

  • The details registered about me/my company are incorrect or out of date. How can I get them updated?

    To update the contact details associated with your domain name, you need to contact your registrar. Read more about updating contact details.

  • Why is my domain name in quarantine?

    When a domain name is cancelled, we aren't told the reason, so we can't tell you. You'll need to ask your registrar. The advantage of quarantine is that, if a name's cancelled by mistake, you can always get it back.

    One common reason is that the contract between you and your registrar says you've got to renew the registration every year. If you haven't set up automatic renewal and you don't renew manually, the registration will expire.

  • Ik heb een klacht over mijn provider/registrar. Kan ik daarvoor bij SIDN terecht?

    Wanneer je een klacht hebt over of een geschil met je registrar dan zijn er verschillende mogelijkheden om tot een oplossing te komen. Hierover lees je meer op pagina klacht over registrar. SIDN heeft geen formele klachtenprocedure voor het behandelen van een klacht over jouw registrar.

  • What conditions do I have to meet as a registrar?

    Would you like to be able to register domain names for customers or for your own organisation by dealing directly with SIDN? If so, you can become a .nl registrar. Read more about the conditions and how to apply for registrar status on the page becoming a registrar.

More frequently asked questions

Outdated DKIM keys are easy to crack

Use a key that's 2,048 bits long

Visualization of a digital key
  • Wednesday 19 February 2025

Quite a few of the world's most-visited web domains are using DKIM keys for their mail that are too short. DKIM keys are published in the DNS by the registrants or operators of internet domains. Other mail gateways can then use the keys to check the authenticity of inbound messages from those domains. Using DKIM to sign outbound mail helps senders to make sure that legitimate mail is accepted, while allowing spoofed messages, spam and malware to be kept at bay.

However, a proof-of-concept attack has now shown that a short DKIM key can be cracked in less than 4 days on a cheap, run-of-the-mill cloud-server. Once the key was cracked, valid signatures were attached to spoofed messages supposedly from the hacked domain. The messages were then accepted by receiving mail gateways running out-of-date or incomplete DKIM checks.

More than 1,700 weak keys

The reported DKIM hack began with an analysis of Tranco's list of the 1 million most-visited web domains. Software developer Andreas Wulf first checked whether the domains were using the mail security protocols SPF, DKIM and DMARC. His analysis revealed that, of the 476,617 DKIM records he found, no fewer than 1,726 had DKIM keys shorter than 1,024 bits. That's too short, according to RFC 8301, published in 2018. RSA-based DKIM keys should now be at least 1,024 bits, and preferably 2,048 bits.

Figure 1: Of the 476,617 DKIM records found, 1,726 had RSA-based keys shorter than the prescribed minimum of 1,024 bits. [Source: Andreas Wulf]

Finding out a domain's private key

Having discovered that so many domains were using short keys, Wulf decided to see how easy it was to actually crack a 512-bit DKIM key by prime factorisation: the mathematical method for decomposing RSA keys. What he found was that cracking the key was remarkably easy. Using an off-the-peg, open-source software package on a cheap, run-of-the-mill cloud server, the job took less than 4 days.

Having worked out what the DKIM key's prime factors were, it was possible to compute the private key itself – which is supposed to be known only to the domain's registrant or operator. And, once you have the key, you can immediately start attaching valid signatures to fake mail.

Spoofed e-mail messages

Wulf was therefore able to attach a valid DKIM signature to spoofed e-mail messages, then send them out via various major mail handlers. Although most of the handlers rejected the messages because of the short DKIM key, some gave them a DKIM validation pass.

Under the DMARC protocol, a message passes validation if it achieves either an SPF pass or a DKIM pass. Consequently, any message that subverts the DKIM security mechanism as described will also get through DMARC security.

What domain registrants/operators can do

It's important to recognise that Wulf's DKIM hack depends on 2 things. First, the domain sending the mail (the 'signing domain') must have a weak DKIM key. Second, the receiving mail gateway must be configured to give a validation pass even in cases where the DKIM key is shorter than 1,024 bits. That typically implies out-of-date configurations being in use at both the sending end and the receiving end.

The solution for a domain registrant/operator is therefore simple: replace your old DKIM key with a new one that's preferably 2,048 bits long. (RFC 8301 still permits 1,024-bit keys, but advises against them.) When replacing an old key, it's important to remember that the new public key needs to be published as a DKIM record in the signing domain's zone (by means of a mini-rollover).

If you use Postfix with Amavis, the easiest approach is to use this command:

amavisd -c /etc/amavisd/amavisd.conf showkeys

If you use Exim, you'll find the DKIM keys in the directory '/etc/exim/keys/'. The public key is retrieved using this command:

openssl rsa -in dkim_rsa.private -out /dev/stdout -pubout -outform PEM

What mail gateway operators can do

Mail gateway operators need to check their configurations to see what the minimum key length for a DKIM validation pass is. RFC 8301 says that it should be at least 1,024 bits.

For Postfix in combination with Amavis and OpenDKIM, the setting is in the file '/etc/opendkim.conf':

## Specifies the minimum number of key bits for acceptable keys and signatures.
MinimumKeyBits 1024

In Exim, validation based on a minimum DKIM key length of 1,024 bits is enforced using the variable '$dkim_verify_min_keysizes'. The default length can be adjusted using the variable '$dkim_key_length'. A complete example of the latter configuration is provided in the Exim documentation.

DKIM2

Work has now started on the development of a new version of DKIM, known as DKIMbis. The main reasons for updating the protocol are to resolve the problems with forwarders and aliases, to stop replay attacks and to prevent backscatter. With those aims in mind, a mechanism is being developed for in-transit cryptographic recording of each hop in the delivery path, any changes made, and the next hop towards the destination. For details, see these preliminary drafts.