Chose your color

Frequently visited

Frequently asked questions

  • I am looking for a domain name registrant. Where can I look it up?

    The Whois is an easy-to-use tool for checking the availability of a .nl domain name. If the domain name is already taken, you can see who has registered it.

    On the page looking up a domain name you will find more information about what a domain name is, how the Whois works and how the privacy of personal data is protected. Alternatively, you can go straight to look for a domain name via the Whois.

  • I would like to transfer my domain name to another registrar. What is the procedure?

    To get your domain name transferred, you need the token (unique ID number) for your domain name. Your existing registrar has the token and is obliged to give it to you within five days, if you ask for it. The procedure for changing your registrar is described on the page transferring your domain name.

  • The details registered about me/my company are incorrect or out of date. How can I get them updated?

    To update the contact details associated with your domain name, you need to contact your registrar. Read more about updating contact details.

  • Why is my domain name in quarantine?

    When a domain name is cancelled, we aren't told the reason, so we can't tell you. You'll need to ask your registrar. The advantage of quarantine is that, if a name's cancelled by mistake, you can always get it back.

    One common reason is that the contract between you and your registrar says you've got to renew the registration every year. If you haven't set up automatic renewal and you don't renew manually, the registration will expire.

  • Ik heb een klacht over mijn provider/registrar. Kan ik daarvoor bij SIDN terecht?

    Wanneer je een klacht hebt over of een geschil met je registrar dan zijn er verschillende mogelijkheden om tot een oplossing te komen. Hierover lees je meer op pagina klacht over registrar. SIDN heeft geen formele klachtenprocedure voor het behandelen van een klacht over jouw registrar.

  • What conditions do I have to meet as a registrar?

    Would you like to be able to register domain names for customers or for your own organisation by dealing directly with SIDN? If so, you can become a .nl registrar. Read more about the conditions and how to apply for registrar status on the page becoming a registrar.

More frequently asked questions

SIDN acts as intermediary in the transfer of DNSSEC-enabled domains

New internet standard in development

  • Thursday 1 November 2012

At present, the security of a DNSSEC-enabled .nl domain has to be disabled before it can be transferred from one registrar to another. That will soon cease to be an option: the security of a transferred domain will always have to remain effective while a transfer is in progress. Technically speaking, continuous security is perfectly viable, but it will require administrative coordination between the releasing registrar and the receiving registrar. The plan is for the .nl domain's operator, SIDN, to act as a portal for communication between registrars.

Technically speaking, the transfer of DNSSEC-enabled domains is perfectly viable, but it will require administrative coordination between the releasing registrar and the receiving registrar. At the moment, there are two methods in circulation for transferring a domain from one DNS operator to another: the IETF method and the ICANN method. However, the IETF method, devised by SIDN, is expected to prove to be the only workable solution for automated transfers.

Standard method

Antoin Verschuren, Technical Advisor at SIDN and inventor of the IETF method, has come up with a list of reasons why the solution will become the standard:

  • Very little is required of the releasing DNS operator, and the actions that are required can be automated.

  • The receiving registrar is in control.

  • With the ICANN method, the zone information has to be copied in its entirety, e.g. via AXFR. The necessary data could be transferred via other channels, e.g. the registrant. However, regardless of the channel used, the ICANN method involves more information being transferred between the registrars than the IETF method does.

  • The ICANN method doesn't allow the signatures to expire while the transfer is in progress. However, in practice, it is difficult to set things up in a way that ensures the signatures won't expire during transfer. All you can do is wait and see whether things go wrong.

  • With the ICANN method, the releasing operator has to set a very short TTL for the NS set prior to the transfer in order to minimise caching. That results in more look-ups and therefore more DNS traffic. Furthermore, short TTLs make the DNS vulnerable to trivial errors.

  • No matter how short the TTL is, the domain name will briefly be 'bogus' while the NS set is being changed over. Its bogus status will last for at least a few seconds. That may not be disastrous, but it does mean that the ICANN method doesn't formally meet the requirement that security should be effective throughout the transfer.

Guiding principles

"When developing our solution for the problem of secure transfers, we focused mainly on what would be workable for registrars and the entire chain of registry, registrar, reseller, registrant and DNS operator," says Verschuren. "My experience as a registrar for various registries meant that I had a good idea of what would and wouldn't work."

Key assumptions:

  • There is no direct and secure communication channel that all operators can access; SIDN should therefore act as an intermediary.

  • Private keys must not be exchanged.

  • The amount of information exchanged should be minimised.

  • Everything should be automatable in order to secure the cooperation of releasing operators.

  • Crucially, a registrant's freedom to choose a registrar must be preserved so that market forces remain effective. The receiving registrar or receiving operator must remain in control of the process, therefore. It mustn't be possible to hold a domain name hostage, which would have been a risk if the releasing operator's active cooperation had been required.

  • SIDN wishes to facilitate a process, rather than impose one. Registrars can then decide whether they want to use that process.

Relay system for ZSKs

The DRS (Domain Registration System) could be modified to support a new ZSK being made available to the old registrar," says Sebastiaan Assink, Operations Manager at internet hosting provider Oxilion. "The old registrar could then add the ZSK to the zone, or forward it to the DNS operator, if that's a different organisation."

"SIDN has now started work on the development of just such a relay system for ZSKs. We'll facilitate secure transfers by adapting the existing secure administrative channel to enable keys to be exchanged between DNS operators and registrars," says Verschuren. "We won't do anything with the ZSKs ourselves, we'll just make sure that they reach the releasing registrars via our secure registration environment."

"In a secure transfer, the receiving registrar has to give the new ZSK to the releasing DNS operator. To make that possible, we plan to add a new command to the EPP (Extensible Provisioning Protocol). The procedure will involve a series of further steps -- transfer, add DNSKEY, NS change, and delete old DNSKEY -- with a pause between each step and the next. The registrar will be able to define the length of each pause or look it up using the DNS. SIDN won't be imposing any timers of its own."

"The releasing registrar will get the forwarded ZSK and associated domain name from SIDN via the EPP queue, and will know that the transfer has been authorised with a transfer token. If the releasing registrar isn't also the releasing operator, the registrar will pass the key on to the operator. The only thing that the releasing operator has to do is add the ZSK to the zone and re-sign it."

Kidnapping

One issue that will need attention is the possibility of the releasing DNS operator setting an excessive TTL for the DNSKEY. "The releasing operator decides the validity period of its DNSKEY records,"explains Assink. "The transfer procedure will involve the old operator adding the new ZSK to the zone and signing it with their own KSK. However, you don't want to change the name servers for a domain until you're sure that the old DNSKEY set has expired and everyone can use the new ZSK for validation. If the old operator were to set a very long TTL (say, a week), you would have to wait a week between adding the new DS record and changing the name servers."

"At a certain stage in the transfer process, the waiting time will indeed depend on the TTL of a record in the releasing operator's zone," confirms Verschuren. "That TTL has to expire before the next step in the process is taken. There's a possibility of an uncooperative operator setting a high TTL value in order to delay the transfer. That would clearly frustrate the process. You can think of it as a sort of kidnapping, which is something want to prevent, of course."

"SIDN already applies a set of technical requirements, which include acceptable values for crucial TTLs. The intention is to add acceptable TTLs for DNSKEY records. We've previously been fairly relaxed about monitoring compliance with the technical requirements, so you do occasionally come across DNS operators who use anomalous TTLs. However, any operator that continues to do that will encounter problems sooner or later. Their market reputation will be damaged and they'll lose customers. We therefore think it's important that the receiving registrar is in control of the transfer process. So the receiving registrar will always have the option of suggesting to the registrant that they fall back on the insecure transfer procedure, or use another method, and pinning the blame on the releasing operator."

Internet Draft

Verschuren has already transferred the domain sidnlabs.nl to demonstrate that secure transfers are possible and what's involved. "For the transfer, I simulated only the secure administrative channel. Any existing registrar can do the same thing. However, few important domains are currently being transferred, so all transfers are insecure, or result in validation errors."

"With .nl domains, it's currently normal for DNSSEC security to be suspended prior to transfer," Assink adds. "For the moment, that's acceptable; it's better than a period of bogus status (DNSSEC error status). That won't be the case for long, however. An insecure transfer won't be an option; all transferred domains will have to remain secure. However, with some TLD operators (including the operator of Sweden's .se domain), transfers using the IETF method aren't even possible. In those cases, the advice is actually to suspend security."

With regard to the IETF method itself, Verschuren points out that the current Internet Draft has now expired and is awaiting republication. "It currently has 'individual submission' status. In other words, formal approval hasn't yet been requested from the IETF DNSOP Working Group, so it isn't yet clear whether the document will be supported by the group. That's going to happen soon, though. The intention is to request 'Informational' status, implying that the document won't become a protocol standard. It'll simply be a description of how you should go about a secure transfer. A new internet protocol isn't required for that. Everything is already in place, it's just a question of the sequence in which things should be done."

Active role

"Following the Lunch & Learn meeting where the transfer issue was discussed at length, there were no new developments within the registrar community or the Technical Committee," Assink points out. "After an internal evaluation, we've revised our processes here at Oxilion, so that we're compatible with the IETF method for both the .nl domain and other TLDs. The transfer of secure domains will also be on the Technical Committee agenda."

Assink also expects the Dutch operator to play an active role. "Internationally, a lot of eyes are on SIDN where DNSSEC is concerned. SIDN has to take advantage of that, by seeking interaction with the registrars and DNS operators in the field, and by sharing the feedback obtained with other registries. It would also be really good if they could organise and facilitate training and workshops for registrars and operators."

Assink's wishes in that regard look like being fulfilled: at the annual Contact Day on Thursday 29 November in Utrecht, Verschuren will be making a presentation on the transfer of DNSSEC-enabled domains.