SIDN Incentives

SIDN Incentives

SIDN, the registry for .NL domains, offers various incentives. These incentives reward those applying certain standards and best practices to their domain portfolio, such as DNSSEC, IPv6, StartTLS/DANE, DMARC/DKIM/SPF, and active usage. By participating in these incentives, you can improve the security, performance, and reliability of your domain names, as well as increase customer satisfaction and loyalty.

In this knowledge base article, we will explain what each incentive is, how it works, and how you can activate or add it to your domain names. You can also find more detailed information by following the links provided for each incentive.

DNSSEC

DNSSEC is a security extension for the Domain Name System (DNS) that protects your domain names from spoofing and hijacking attacks. DNSSEC ensures that the DNS responses that your customers receive are authentic and have not been tampered with by malicious actors. DNSSEC also enables other security features, such as DANE and CAA, that can enhance the trustworthiness of your domain names.

To qualify for the DNSSEC incentive, you need to apply DNSSEC to at least 10% of your portfolio, which is also mandatory for the other incentives. You can do this by signing your domain names with cryptographic keys and publishing them in the DNS. You also need to register the corresponding DS records with us via API or our portal. SIDN will verify the correctness and validity of your DNSSEC signatures on a regular basis. One easy way to enable DNSSEC is by using our Premium DNS offering.

For more information on how to implement DNSSEC, please visit this page.

IPv6

IPv6 is the latest version of the Internet Protocol (IP) that assigns unique addresses to devices and networks on the Internet. IPv6 offers several advantages over IPv4, such as a larger address space, improved routing efficiency, enhanced security, and better support for mobile devices. IPv6 is also essential for the future growth and innovation of the internet, as IPv4 addresses are running out.

To qualify for the IPv6 incentive, you need to comply with DNSSEC requirements as described above, and you need to ensure that your domain names are reachable via IPv6. This means that you need to have IPv6 connectivity for your web servers, mail servers, name servers, and any other services that you offer under your domain names. You also need to publish AAAA records in the DNS for your domain names and subdomains.

For more information on how to enable IPv6 for your domain names, please visit this page.

StartTLS/DANE

StartTLS is a protocol extension that allows email servers to upgrade an unencrypted connection to an encrypted one using Transport Layer Security (TLS). This protects email messages from eavesdropping and interception during transit. However, StartTLS is vulnerable to downgrade attacks, where an attacker can prevent the encryption from happening or use a fake certificate to impersonate the email server.

DANE is a security mechanism that uses DNSSEC to publish and verify TLS certificates for email servers. DANE prevents downgrade attacks and certificate spoofing by allowing email servers to specify which certificates or certificate authorities are authorized for their domains. DANE also enables email servers to use self-signed or alternative certificates, reducing their dependency on traditional certificate authorities.

To qualify for the StartTLS/DANE incentive, you need to comply with DNSSEC requirements as described above, and you need to support StartTLS and DANE for your email servers. This means that you need to configure your email servers to offer and accept StartTLS connections with valid TLS certificates. You also need to publish TLSA records in the DNS for your email servers using DNSSEC.

For more information on how to set up StartTLS and DANE for your email servers, please visit this page and if you want to verify TLSA records you can do so here.

DMARC/DKIM/SPF

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a policy framework that helps email senders and receivers verify the authenticity and integrity of email messages. DMARC prevents email spoofing and phishing by allowing email senders to specify how their messages should be authenticated and what actions should be taken if they fail authentication.

DKIM (DomainKeys Identified Mail) is a cryptographic technique that allows email senders to sign their messages with a private key and publish the corresponding public key in the DNS using DNSSEC. DKIM proves that an email message has not been altered in transit and that it originates from a legitimate domain.

SPF (Sender Policy Framework) is a validation system that allows email senders to declare which IP addresses are authorized to send email on behalf of their domains. SPF prevents email spoofing and spam by allowing email receivers to check the IP address of the incoming message against the SPF record published in the DNS.

To qualify for the DMARC/DKIM/SPF incentive, you need to comply with DNSSEC requirements as described above, and you need to implement DMARC, DKIM, and SPF for your domain names. This means that you need to generate and manage cryptographic keys for DKIM, publish TXT records in the DNS for DMARC and SPF using DNSSEC, and monitor and analyze the authentication reports from DMARC.

For more information on how to deploy DMARC, DKIM, and SPF for your domain names, please visit this page.

Active usage

Active usage is a measure of how well your domain names are being used for their intended purposes. Active usage indicates that your domain names are providing value to your customers and generating traffic and revenue for your business. Active usage also helps to prevent domain name abuse and cybersquatting, which can harm the reputation and trust of the .nl domain.

To qualify for the active usage incentive, you need to have DNSSEC applied to at least 10% of your portfolio, and you need to ensure that your domain names are actively used. Active usage includes the following categories:

  • Business: domain names that are used for professional or commercial activities, such as company websites, online portfolios, or blogs.
  • Content: domain names that are used for providing information or entertainment to visitors, such as news websites, magazines, or podcasts.
  • Forum: domain names that are used for facilitating online discussions or communities, such as social networks, forums, or chat rooms.
  • E-commerce: domain names that are used for selling products or services online, such as online shops, marketplaces, or booking platforms.

SIDN will check each month what percentage of your portfolio falls into one of these categories based on various criteria and indicators. Domain names that are only used for email are not currently counted for this incentive, but SIDN is working on a method to include them in the future.

If you are interested in these incentives and would like more information, you can contact our support department to find out how to apply for them and how we can help you.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.