Chose your color

Frequently visited

Frequently asked questions

  • I am looking for a domain name registrant. Where can I look it up?

    The Whois is an easy-to-use tool for checking the availability of a .nl domain name. If the domain name is already taken, you can see who has registered it.

    On the page looking up a domain name you will find more information about what a domain name is, how the Whois works and how the privacy of personal data is protected. Alternatively, you can go straight to look for a domain name via the Whois.

  • I would like to transfer my domain name to another registrar. What is the procedure?

    To get your domain name transferred, you need the token (unique ID number) for your domain name. Your existing registrar has the token and is obliged to give it to you within five days, if you ask for it. The procedure for changing your registrar is described on the page transferring your domain name.

  • The details registered about me/my company are incorrect or out of date. How can I get them updated?

    To update the contact details associated with your domain name, you need to contact your registrar. Read more about updating contact details.

  • Why is my domain name in quarantine?

    When a domain name is cancelled, we aren't told the reason, so we can't tell you. You'll need to ask your registrar. The advantage of quarantine is that, if a name's cancelled by mistake, you can always get it back.

    One common reason is that the contract between you and your registrar says you've got to renew the registration every year. If you haven't set up automatic renewal and you don't renew manually, the registration will expire.

  • Ik heb een klacht over mijn provider/registrar. Kan ik daarvoor bij SIDN terecht?

    Wanneer je een klacht hebt over of een geschil met je registrar dan zijn er verschillende mogelijkheden om tot een oplossing te komen. Hierover lees je meer op pagina klacht over registrar. SIDN heeft geen formele klachtenprocedure voor het behandelen van een klacht over jouw registrar.

  • What conditions do I have to meet as a registrar?

    Would you like to be able to register domain names for customers or for your own organisation by dealing directly with SIDN? If so, you can become a .nl registrar. Read more about the conditions and how to apply for registrar status on the page becoming a registrar.

More frequently asked questions

SIDN switches .nl zone from DNSSEC algorithm 8 to algorithm 13

ECDSA makes DNSSEC security faster and more efficient

Padlock with keyhole in digital environment
  • Thursday 29 June 2023

This year, the .nl zone will be migrated ('rolled over') to a new algorithm for DNSSEC, the cryptographic security extension to the Domain Name System (DNS). The .nl zone will then be aligned with all the latest recommendations in this field. The rollover should have no discernible effect for registrants or end users. The new algorithm has been supported by all modern DNS servers and resolvers for some years now.

Cryptographic security

DNSSEC is a cryptographic security extension to the DNS. It involves the use of digital signatures to assure the authenticity of DNS responses.

A domain name registrant or an operator first has to sign the information (RRsets) in their zone file. Then, if asked to do so, the DNS server can attach a digital signature (in the form of an RRSIG record) to any response it sends to a query.

On receipt of a signed response, the end user (or caching resolver) can use the signature to check the authenticity of the response. That 'validation' process relies on a chain of public keys and digital signatures, which leads all the way back to the root zone: the so-called 'chain of trust'.

Recommendations

Various algorithms are available for generating the digital signatures. The international standards organisation IANA maintains a list of the algorithms in question. Over time, some established algorithms become 'deprecated' (i.e. regarded as obsolete, on account of being outdated or insecure) and new algorithms are added.

RFC 8624 now recommends using algorithm 13 (ECDSA Curve P-256 with SHA-256). For a long time, algorithm 8 (RSA/SHA-256) was the standard, but it is now slowly being phased out in favour of the ECDSA-based algorithms.

Timetable

In line with that recommendation, we intend to migrate the .nl zone from algorithm 8 to algorithm 13 in the coming weeks. The algorithm rollover will be timed so as not to interfere with the regular rollovers of ZSK pairs. The number of RRSIG records will double during the first rollover, because there is a transitional period when 2 signatures are needed for every RRset (one for each ZSK set). If another rollover were to take place on top of the algorithm rollover, that would imply at least one more set of RRSIG records, making the exercise too memory-intensive. We are currently preparing for the algorithm rollover, and have defined and published a timetable. Regular updates will be published on the same page.

As the graph below shows, algorithm 13 is now supported by almost all validating resolvers. It is highly likely, therefore, that the switch can be performed without any perceptible effect for either domain name registrants or end users. We hope and believe that the change will largely be a techno-administrative task that we perform without troubling anyone else.

Faster and more efficient

Although algorithm 8 is definitely secure at the present time, there are persuasive reasons for switching to DNSSEC algorithm 13. Algorithms 13 and 14 use ECDSA-based public-key cryptography. That has significant advantages over RSA-based cryptography (as used in algorithm 8 and certain other algorithms). With ECDSA, a similar assurance level can be obtained with much shorter keys and signatures than with RSA, and the signatures can be generated much more quickly. Only when it comes to validating the signatures is RSA (much) faster than ECDSA.

We recently published a detailed article exploring this topic. Information is also available from our DNSSEC FAQ utility.

Why not switch like us?

Switching to a more modern DNSSEC algorithm has advantages for domain name registrants and authoritative name server operators as well. RFC 8624's advice about switching from algorithm 8 (or another older algorithm) to algorithm 13 applies to DNSSEC users at all levels of the DNS. If you're a registrant or an operator, we would therefore encourage you to check which algorithm you're currently using to sign your zone(s), and, if necessary, to roll over to algorithm 13.

As the graph below shows, 58 per cent of DNSSEC-enabled .nl domain names are now using algorithm 13. The other 42 per cent are still using algorithm 8, meaning that they will have to migrate to algorithm 13 before long.

Graph with the algorithms used in the .nl zone
https://images.ctfassets.net/yj8364fopk6s/3jjC06jOaUqMRVuMoWajsL/6b28b39de853f20e0eb9fe46f4170ad8/stats.sidnlabs.nl-DNSSECalgoritmes-20230515_EN.png