Chose your color

Frequently visited

Frequently asked questions

  • I am looking for a domain name registrant. Where can I look it up?

    The Whois is an easy-to-use tool for checking the availability of a .nl domain name. If the domain name is already taken, you can see who has registered it.

    On the page looking up a domain name you will find more information about what a domain name is, how the Whois works and how the privacy of personal data is protected. Alternatively, you can go straight to look for a domain name via the Whois.

  • I would like to transfer my domain name to another registrar. What is the procedure?

    To get your domain name transferred, you need the token (unique ID number) for your domain name. Your existing registrar has the token and is obliged to give it to you within five days, if you ask for it. The procedure for changing your registrar is described on the page transferring your domain name.

  • The details registered about me/my company are incorrect or out of date. How can I get them updated?

    To update the contact details associated with your domain name, you need to contact your registrar. Read more about updating contact details.

  • Why is my domain name in quarantine?

    When a domain name is cancelled, we aren't told the reason, so we can't tell you. You'll need to ask your registrar. The advantage of quarantine is that, if a name's cancelled by mistake, you can always get it back.

    One common reason is that the contract between you and your registrar says you've got to renew the registration every year. If you haven't set up automatic renewal and you don't renew manually, the registration will expire.

  • Ik heb een klacht over mijn provider/registrar. Kan ik daarvoor bij SIDN terecht?

    Wanneer je een klacht hebt over of een geschil met je registrar dan zijn er verschillende mogelijkheden om tot een oplossing te komen. Hierover lees je meer op pagina klacht over registrar. SIDN heeft geen formele klachtenprocedure voor het behandelen van een klacht over jouw registrar.

  • What conditions do I have to meet as a registrar?

    Would you like to be able to register domain names for customers or for your own organisation by dealing directly with SIDN? If so, you can become a .nl registrar. Read more about the conditions and how to apply for registrar status on the page becoming a registrar.

More frequently asked questions

SIDN introduces incentive to encourage use of security.txt

Adoption of security.txt by registrars

Red warning sign above the keyboard of a laptop
  • Thursday 14 March 2024

From the first half of next year, we expect to start incentivising the use of security.txt through the Registrar Scorecard (RSC). In practical terms, that will involve paying a rebate on domain names whose websites have valid, usable security.txt files.

By adding this incentive to the RSC, SIDN is seeking to support the efforts of the Registrars' Association (RA) to promote the adoption of security.txt. The RA is currently talking to Webpros and DirectAdmin about the addition of native support for security.txt in the most widely used hosting control panels. A WordPress plugin is also being developed for end users, and the RA plans to share best practice information with its members.

Security.txt was standardised as RFC 9116 nearly 2 years ago. The protocol involves the publication of a relatively simple text file stating an organisation's vulnerability disclosure (CVD) policy and contact details. One of security.txt's most vocal proponents is the Digital Trust Center (DTC). The DTC often has considerable difficulty ascertaining how to flag up vulnerabilities and compromised systems, and therefore makes grateful use of security.txt data wherever it is available.

Alfredo Garcia Frias
Alfredo García Frias, Key Account Manager SIDN

Incentives, promotion, training and automation

"In the second half of this year, we plan to begin implementing the incentive and promoting security.txt," says SIDN's Relationship Manager Alfredo Garcia Frias. "The infrastructure for the new incentive scheme already exists: Labs has the ability to check every .nl domain to see whether it has a security.txt file and, if so, what it contains. Nevertheless, extension of the RSC application does involve a lot of work. We're currently also working out the details of the incentive scheme itself: exactly what we should be rewarding, and what the rebate should be."

"In addition, a short e-learning module has already been made available via the SIDN Academy. It explains how to publish a fully protocol-compliant security.txt file in 4 steps. At present, the modules are accessible only to .nl registrars, but we're looking into making them more widely available via the Internet.nl test portal as well."

Multiple subprojects

SIDN is promoting security.txt in partnership with the RA, the driving force behind the various initiatives. At the moment, only 2.2 per cent of all .nl web domains have valid security.txt files. "So far, it's only the very early adopters," says Daniël Federer, who is leading the security.txt project at the RA. "We know from our experience with other open standards that a critical mass is needed to impart momentum to the adoption process. SIDN's incentive scheme is intended to give adoption a temporary boost so as create that mass and get things moving."

Last year, the RA applied to SIDN Fund for a grant to finance 3 subprojects linked to security.txt:

  • Native support for security.txt in popular hosting control panels, such as DirectAdmin, cPanel and Plesk, so that hosters can start working with the standard. The preference is for support to be realised within the panel software itself, so that it can then be maintained by the vendors, rather than in the form of an external plugin, which would require third-party maintenance. The RA is now talking to the various vendors about the implementation of security.txt in their software.

  • A plugin for WordPress, the most widely used open-source content management system (CMS). A plugin will be useful both for WordPress end users and digital agencies. And, hopefully, the plugin can ultimately be incorporated into the core of the software. The intention is that the functionality of the plugin should be aligned with the security.txt test already incorporated into Internet.nl following the addition of security.txt to the Forum for Standardisation's 'use-or-explain' list. Unlike the 2 existing WordPress plugins, the plugin envisaged by the RA will do more than simply translate a series of input fields into a security.txt file for publication. The contents of the file will also be digitally signed, and the user will be notified when the file's validity period ends.

  • Development of best practice guidance on the use of security.txt. This subproject is being carried out by the DTC, with the aim of providing registrars with practical advice on implementing security.txt across their portfolios, possibly in combination with the control panels.

Daniel Federer
Daniël Federer, business developer

Added value

Last October, SIDN Fund awarded the RA a grant to support the work. "We involved all the relevant stakeholders in this initiative," continues Federer. "SIDN for the incentive, the DTC and NCSC as key governmental users, Internet.nl for awareness, and the RA itself on behalf of the registrars. Everyone liked the idea and gave it their backing."

"It's mainly within the registrar community that security.txt is valuable, even though the functionality is more of a hosting thing than a DNS thing." Federer also makes the point that the standard has immediate, practical added value. "In that respect, security.txt differs from DNSSEC, for example. At the time, the Kaminsky attack concept that led to the development of DNSSEC was essentially a theoretical threat. In fact, even now, serious DNS attacks are less common than, say, brute force attacks."

Security.txt provides a simple solution to a common problem. "Quite apart from actual attacks, a common cause of website security issues is failure to keep them updated and configured properly. Shortcomings of that kind can have serious consequences, especially for commercial sites where products are sold, financial transactions are carried out and personal data is processed. However, when vulnerabilities are detected, it's often very difficult to alert the right people. So security.txt isn't addressing some theoretical problem, but serving an important, visible purpose."

Approaching individual businesses

Portrait photo of Kim van der Veen, project leader for the Digital Trust Center at the Ministry of Economic Affairs and Climate
Kim van der Veen, project leader for the Digital Trust Center at EZK

Part of the Dutch government's economy ministry, the DTC is one of the organisations leading the way on security.txt. The DTC uses the published contact information for the notification service that it operates to proactively alert organisations of all sizes to serious system vulnerabilities and tangible threats. Notifications are sent regarding issues such as vulnerabilities in Zimbra Collaboration environments, outdated Windows (Exchange) systems and security problems involving the SMB protocol.

"As part of the service, we call or mail companies, warn them about specific cybersecurity threats, and where possible advise them on countermeasures, such as patchingsoftware or changing system configurations," project leader Kim van der Veen previously told us.

"The input for disclosures is provided to us by organisations such as the NCSC, which obtain information about targets and victims," Van der Veen added. "In most cases, we start with nothing more than an IP address. We then use reverse DNS lookup and other enrichment techniques to try to establish what the associated domain name is. Once we've got a domain name, we can go to the website in search of a disclosure channel. If we're lucky, the site provides a general contact number or e-mail address for the organisation. After that, it's just a question of hoping that our warning reaches the right person and gets followed up."

Lots to be gained

Last year, the number of alerts issued by the DTC was 4 times the 4,600 sent only a year earlier. Between the start of 2021 and the end of 2023, the DTC's scheme processed 157,000 reports, most supplied to it in the form of IP address lists. However, the approach does mean a lot of manual investigation in situations where rapid action is needed. The information in the security.txt file should therefore be a real boon to the DTC. Following formalisation of the protocol as RFC 9116, the DTC therefore began a campaign to promote the use of security.txt. The campaign involves explaining the basic steps an organisation should take, and making a dedicated information page available to IT service providers, detailing the information fields in the security.txt file.

"For us, the security.txt file has major benefits, but we didn't want to start plugging it until the formal RFC appeared," said Van der Veen. "However, we did work with the NCSC to provide input and feedback during development of the RFC. We pushed for the addition of the standard to the Internet.nl test portal, and we suggested adding it to the Forum for Standardisation's 'use-or-explain' list -- an idea that has since been taken up."

Further adoption

Although the use of security.txt has been increasing rapidly over the last 2 years, the absolute number of .nl web domains that support the standard is still a small proportion of the total. The DTC's main goal is therefore driving further adoption. "The presence of a security.txt file is a huge help to us in our efforts to contact the right person or department when an issue is detected," continued Van der Veen. "Adoption is growing, but much more slowly than we'd like. I should add that we're not the only ones whose work is facilitated by security.txt. It's very useful for security investigators, universities and ethical hackers as well. And, of course, the real beneficiaries are the organisations who get to hear about threats to and vulnerabilities in their systems."

Graph showing the adoption of the internet standard security.txt within the .nl zone as of January 15, 2024. 2.2% of the zone contained the standard at that time.
Adoption of security.txt in the .nl zone.
https://images.ctfassets.net/yj8364fopk6s/4NLT5ozqf3KHc84643M0UA/d0b2babc468c23b82e8b51d5b23021cb/SIDNLabsStats-security.txt-20240126_EN.png

"Lists of vulnerabilities and the associated IP addresses are sent to us on a daily basis. Any reports concerning serious threats to large organisations are handled manually. Where the reports relate to generic vulnerabilities affecting large numbers of domains, the only option is automated processing. We use existing tooling and services to identify who IP addresses belong to. Some of the search engines, such as Shodan, now take security.txt data into account."

Digital resilience

"Often, we have no choice but to send our alerts to the network owners," clarified Van der Veen. "The hope is that they then pass the message on to their customers, but that certainly isn't always what happens. Even when we are able to get an alert to the right organisation, it's hard to make sure that is goes straight to the IT department or an executive, and doesn't simply land in the general service desk inbox."

Sometimes, of course, service providers don't pass on notifications to their customers, because they're worried about the reputational implications of drawing attention to security issues. However, a notification mechanism can also be profiled as an extra service. "Our aim is to boost the digital resilience of the Netherlands. Ideally, we'd like to see hosting service providers implementing security.txt for their customers, and identifying themselves as the contact point for alerts. Then, for example, they could set up a redirect for all hosting service users. CMS vendors and hosting firms can configure a default that redirects to, say, a HackerOne page, which security investigators and ethical hackers could refer to for bug bounty and CVD information."

Van der Veen emphasised that most recipients are very positive about the alerts. "Every notification we send has a feedback link at the end because we like to know whether the recipient found it useful, and whether they acted on it. And the feedback we get is usually positive."

In the US and Germany, adoption of security.txt is already quite a lot higher than here in the Netherlands, but Van der Veen is expecting the Dutch to catch up. "Now that security.txt is on the 'use-or-explain' list, service providers with government clients will have to support the standard."