Frequently Asked Questions

Domain registration

Domain configuration

Contact registration

Modifications

Nameservers

Cancellations

Miscellaneous


Can a foreigner register a .IS domain?

Yes, you can register a ".is" domain!

For further information see Domain Registration in ISNIC's rules.


How do I register a .IS domain?

If you have your own nameservers, you must have configured the domain and the nameservers must be registered with ISNIC. If you do not have any nameservers yet, you can park your domain with ISNIC until you have decided on where to host your domain.

See "Domain->Requirements" and "Nameserver->Requirements".

You must also have available the NIC-handles of the domain's contacts, and you yourself must be logged in via "Contacts->Login".

If contact handles are unavailable, you must first register the contacts (and/or yourself) via "Contacts->Register" on the left.

Once logged in, proceed to the registration page ("Domains->Register") and follow the instructions. Your application will be queued, pending payment of registration fees.

Note that you have 24 hours to remit the fee, after which the application expires and must be resubmitted if payment is made. Payment can be made online using the login information of the Administrative contact or Billing contact of the domain.


How do I check if the domain I want is available?

All ".is" domain's are registered in the ISNIC domain registry and their registration information is available via the ISNIC web. However, the registration WHOIS lookup is rate-limited and does not include pending domains.

If you want to do this in a program use EPP check:domain or RDAP domain availability check. These lookups are rate-limited at 7200 queries per 30 min.


What is the role of the domain's administrative contact?

Usually, a domain's adminstrative contact is simply the registrant. If the registrant wants someone else to have full change-control over the domain, a third party can be appointed administrative contact.

Please note that the admin contact has full, web-based control of the domain, including the ability to transfer the domain to a new registrant. It is the registrants responsibility to ensure that proper contracts exist between a third-party administrative contact and the registrant.


Why are there multiple contacts?

Domains can have up to four different contacts (NIC-Handles) in addition to the registrant. Each contact serves a different role and holds different change-authority over the domain. The contacts and the registrant use their NIC-Handles to log into the ISNIC web to modify their own, and their domain's registration.

A contact can also have a representative that manages the registration on their behalf.

Note that each contact can change their own registration information, but only the domain's registrant and administrative contact can change the domain's contacts.

  1. The Registrant (R) has full change-control over the domain, if the registrant contact has been activated (see How do I activate a contact object's NIC-handle?). The registrant can change all aspects of the domain's registration, including transferring the domain to a new registrant and deleting the domain.
  2. The Administrative Contact (AC) has full change-control over the domain and exercises this control on behalf of the registrant. The AC can change all aspects of the domain's registration, including requesting the transfer of the domain to a new registrant or deletion of the domain. Transfers and deletes require registrant approval if the registrant is an active contact. If the registrant decides to delegate all management of the domain to a third-party, that party should then be registered as the domain's administrative contact (see What is the role of the domain's administrative contact?). The AC can withdraw their services and the registrant will then automatically become the AC.
  3. The Technical Contact (TC) handles the technical aspects of domain management, it's DNS hosting, web hosting etc. The TC is most often with the domain's network provider. The registrant or the administrative contact can substitute the TC for a new one. The TC can withdraw their services and the AC will then automatically become the technical contact.
  4. The Billing Contact (BC) is the recipient of the domain's billing information. The domain's invoices are addressed to the BC. Most often the BC is the registrant himself. The domain's R and AC must make sure that the appropriate party is registered as the domain's BC at all times. Only the R and AC can substitute the BC for a new one. The BC can withdraw his services and the registrant will then automatically become the billing contact. Bills are never re-issued to the new BC. Upon request, a receipt will be issued to the new BC after the domain's fees have been paid.
  5. The Zone contact (ZC) is the technical contact for the domain's nameservers. The ZC owns the domain's primary nameserver and is responsible for the domain's compliance with the .is technical delegation requirements. The ZC must be willing and able to configure the nameservers according to these requirements. The ZC is automatically updated when the domain is redelegated to a new set of nameservers.
  6. Representative (U) for the registrant is a contact that manages the contact registration for the contact.

The same party can perform all these functions, i.e. the same NIC handle can be registered as the domain's R, AC, TC, BC, and even ZC. However, if they are not the same, the set of available operations depends on who is logged in to the ISNIC portal according to the following table:

Operations on domains
Registrant Administrative Contact Technical Contact Billing Contact Zone contact Representative
Modify registrant info YesYesNoNoNoYes
Registrant transfer YesYes (d)No (d)No (d)NoYes
Substitute contacts YesYesNo (a)No (b)NoNo
Renew registration (BC is not DNSP) YesYesYesYesNoNo
Renew registration (BC is DNSP) NoNoNoYesNo (e)No
Redelegate domain
  - Modify DS records
YesYesYesNoNo (c)No
Delete domain YesYes (d)No (d)No (d)NoNo
Autorenewal (on/off) (BC is not DNSP) YesYesNoYesNoNo
Autorenewal (on/off) (BC is DNSP) NoNoNoYesNo (e)No
Resign as contact NoYes (b)Yes (a)Yes (b)No-

a) AC and BC can withdraw their services (resign) R automatically substituted.
b) TC can withdraw their services (resign) AC automatically substituted.
c) ZC of domains hosted with a registered DNS hosting provider can redelegate and manage DS records.
d) TC and BC can request registrant transfers and deletions, R or TC must approve. AC can do registrant transfers and deletions if R is not an active contact.
e) All DNSP contacts can also renew the domain.

Operations on contacts
Representative
Lookup infoYes
Update infoYes
Transfer to new representativeNo
Delete contactNo

What about cost?

The annual renewal fee is €31.90. The first year's fee (the registration fee) must be prepaid before registration can proceed. See the domain charges page.

ISNIC does not provide website nor email hosting service. DNS hosting is often provided by website and email hosting providers. All your services can be hosted at different providers.

ISNIC DNS Hosting is for those that only need basic DNS setup for their domain or need forwarding service.


How do I renew a domain?

Step 1

Login to your account.

Step 2

Go to My page and click on the shopping cart icon under the column Renew for the domain you want to pay for.

Step 3

Choose a billing method and click on Purchase. Enter your card information on the billing site and renew your domain.


What is Automatic Renewal

The registrant, admin- and billing contacts can register domains for automatic payments on the subscriptions page.

When domains are registered for automatic renewal, card will be charged for the annual renewal fee 45 days prior to the expiry date.

Registering your domain to self renewal can be done at checkout, by selecting "Use payment card", "store card" and "Automatic renewal using the selected payment method", next click "Purchase".

Registering your domain to self renewal can also be done at "My page". There you can click on this button for the domain you want to register for self renewal.

It is important to keep information in WHOIS correct for domains which are automatically renewed. Contact e-mail addresses are particularly important to keep current as receipts for those domains are only sent in e-mail.


What happens to domains that are unpaid on their expiration date?

If a domain remains unpaid on it's expiration date, ISNIC informs the domain's billing contact (and the domain's administrative contact) that the domain is about to be deactivated (put on hold). At 13:00 UTC the day after the expiration date, the domain is deactivated and removed from the ".is" zone.

The domain now enters a 30 day grace-period where the domain remains registered but inactive. During this period the registrant can reactivate the domain by paying the renewal fee. No further communications/warnings are issued by ISNIC during this period. If the domain fee has still not been paid after 30 days, the domain is deleted at 13:00 on the following day and made available for re-registration.


When are domains released for reregistration?

ISNIC can not provide definite information on when (exact date) a expired domain will be released for registration again. A ".is" domain that is not renewed by it's expiration date is put on hold (closed) at 13:00 UTC the day after its expiration date.

A domain on hold is not available for registration. The registrant now has 30 days to remit the registration fee, and if the registration fee is recieved by ISNIC the domain is reactivated. Please note that the registrant can explicitly delete the domain any time during these 30 days, making the domain available for registration immediately.

If the domain registration fee remains unpaid after 30 days, ISNIC deletes the domain at 13:00 UTC the following day, making it available for reregistration.


How do I modify my own or my domains registration?

Modifications are web-based. You must begin by logging in to the ISNIC web using your NIC-handle and password and select "My page". You will then get a list of domains and nameservers for which you are registered and over which you have change-control. Select the domain/nameserver you wish to modify and follow the instructions. Use "My Settings" for your NIC-handle. In cases where the NIC-handle is also a Registrant, changes will also be visible in the Whois form in relation to the Registrant of those domains.


How do I change the name of a contact object?

Names of contact objects can not generally be changed. You must register a new contact using the new name, obtain a new NIC-handle and use that to do a "Registrant Transfer" (if the registrant has changed names) or "Change contacts" on the relevant domains (selected on "My page").

Contact names of objects registered using Icelandic National Identity Numbers ("Kennitala") are automatically updated if a change is made in the National Registry (both for individuals and for corporations).


How do I resign as domain contact?

Contacts (billing, tech and admin) can resign from their associated domain. When they resign tech will become admin and billing and admin vill become registrant.

You must begin by logging in to the ISNIC web using your NIC-handle and password and select "My page". Then select ("Resign as contact") from domain drop down list. Select domains that you want to resign from and click "Submit".


Can I withhold publication of my registration data from the ISNIC whois database?

By default, most of the personal information on individuals (registrants and contacts) is withheld from publication. Note that the country is always published. You can decide to explicitly publish the rest of your information by going to "My settings" and toggle "Publish in WHOIS" to "Yes". Please remember that this only applies to individuals.
Note the circumstance's in Release of hidden Registration Data from ISNIC's Whois


Can I delete a contact from the ISNIC whois database?

Contacts are automatically removed if not used. But a contact can be removed if it is not used by a domain or a host. After the contact has been marked expired it will eventually be deleted. After a contact has been marked expired it will immediately be removed from ISNIC's public whois database. But if the contact logs in before it is deleted the contact will be reactivated. See the button Delete contact on "My Settings".


How do I change my domains zone contact?

The domains zone contact is the first (master) nameserver's technical contact. It is automatically modified, when the domain is redelegated to a new set of nameservers. The zone contact can thus only be changed by changing the technical contact of the domains current nameserver as registered with ISNIC, or by redelegating the domain to a different set of nameservers.


How do I change nameservers on a domain? (Point to another hosting provider)

A domain’s registrant, admin-, and technical contacts can point domains to a host by changing the domain’s nameservers.

Step 1

Login to the appropriate NIC-handle on isnic.is.

Step 2

Go to My page. Click on the icon under Control Panel and select Redelegate under Nameservers. You’ll see Parking, DNS and Nameservers, choose Nameservers.

Step 3

Type in the nameservers your hosting provider has set your domain up on, or choose the appropriate DNS hosting provider in the drop-down list of registered DNS hosting providers at ISNIC and click on Submit.

Note that you can only move your domain to a new set of nameservers if the domain has already been set up on the new nameservers according the ISNIC's technical requirements. Please contact your prospective DNS provider (the operator of the new nameservers) if you experience problems/errors when trying to redelegate your domain. Please do not contact ISNIC in these cases as we can not modify your domain's configuration with your DNS provider.

A competent DNS service provider will understand these basic requirements and will not have problems setting up your domains, or explaining to you how you can use their systems to host ".is" domains according to these requirements.


How do I change a domain's contacts?

For every domain there are 3 contacts, a long with the registrant and zone contact: Administrative contact, Billing contact and Technical contact. Each contact has a different role and authority, as displayed here. The Registrant and the Administrative contact of a domain can change a domain’s contacts.

Step 1

Login to the registrant's or the admin contact's NIC-handle on isnic.is.

Step 2

Go to My page, click on Domain and select Change contacts from the drop-down list.

Step 3

Select the domain/s you want to change contacts for and type in the NIC-handle/s in appropriate columns, depending on which contacts you want to change. If the new contact does not have a valid NIC-handle at ISNIC, they must first register a contact and obtain a NIC-handle. Click on Submit to save your changes. The contacts will change immediately.


What is DNSSEC?

DNSSEC is an extension to the DNS system which makes it possible to sign DNS records with a key (DNSKEY). Resolvers can verify that the authenticity of the responses. DNSSEC is defined in RFC4033 .


How do I activate DNSSEC for my domain?

First, the records in your domain have to be signed. For this you can use extensions to popular DNS software such as BIND or 3rd party solutions.

Once the records have been signed and the signatures published in the zone, the DS records for the keys have to be submitted to ISNIC for inclusion in the ".is" zone. To do that, you go to "Edit DS records", select the domain from the list and click "Edit DS records".


How do I check if my recursive nameservers are validating my answers?

All nameservers should be set up to validate their answers before giving them to their users. To test if your nameservers (i.e. the ones you are using to navigate the net) are validating try clicking on the following links:


How do I securely modify delegation records for a DNSSEC signed domain?

Special care must be taken when modifying delegation records of a DNSSEC signed domain. DS records that are published in the .is zone point to DNSKEY records in the signed domain, and if they are missing, validating resolvers will fail to resolve names in the domain.

To safely modify the delegation records of a DNSSEC signed domain, please follow these steps (we assume no access to the private key used to sign the zone. If there is access to the private key, it can simply be moved to the new nameservers along with the domain and be used to continue signing the zone):

  1. Transfer all domain records (then zone) from the old nameservers to the new nameserver, including DNSKEY records and sign it with the new key.
  2. Copy the new DNSKEY records to the old nameserver.
  3. Add a DS record with ISNIC correspondig to new KSK.
  4. Wait for at least 24 hours. This ensures all resolvers see the new DNSKEY and DS records.
  5. Re-delegate the domain to the new nameservers.
  6. After 24 hours delete the domain from the old nameservers and remove the old DNSKEY records from the new nameservers. Also remove old DS records from ISNIC.

Note: The "24 hour" recommendation assumes common TTL (time-to-live) settings. If you have configured longer TTLs for your zone, you may need to wait longer.


How do I register my nameservers with ISNIC?

It is important that nameservers are registered with ISNIC by the nameserver operator/owner or their technical representative. The nameserver's technical contact becomes the zone contact for all ".is" domains delegated to the nameserver and therefore must be whoever administers the nameserver. ISNIC contacts the domain's zone contact in case of technical difficulties with the nameservers and this contact must have proper access to the nameserver and be able to fix DNS-technical problems.

To register a nameserver you must have available the nameserver's intended technical contact handle (nic-handle). If that is not available the server administrator must begin by registering a contact object for the nameserver. Once you have obtained and activated the NIC handle assigned you can login to our site and proceed with the nameserver registration by clicking on "Register" under the "Nameservers" heading.


How does ISNIC validate the nameservers?

The only way to test a particular UDP service is to query the service that listening on the particular port. Thus the only way to test if a DNS server is running on UDP port 53 is to make a DNS query. As there is no way of knowing which zones are served by that host, so a query for the root zone NS records is made. A secondary query is also made, in case the root zone fails.

To verify that a nameserver is running, a reply is required. It can be any RCODE as long as some reply is sent. A timeout is not acceptable.

According to RFC1035 the RCODE should be one of those below: (RCODE names are from BCP42/RFC2929 )

SERVFAIL 2  Server failure - The name server was
            unable to process this query due to a
            problem with the name server.

REFUSED  5  Refused - The name server refuses to
            perform the specified operation for
            policy reasons.  For example, a name
            server may not wish to provide the
            information to the particular requester,
            or a name server may not wish to perform
            a particular operation (e.g., zone
            transfer) for particular data.

Or the reply can be NOERROR, with the root zone NS records, but not replying at all is not an option.


Why does ISNIC require minimum TTL values?

It is important to realize that TTL is not an attribute of an entire domain (zone). TTL is an attribute of each record in the zone. ISNIC only requires a minimum TTL on the nameserver records within the domain (NS resource records).

The value of the TTL field in the NS records affects the query-rate on the ".is" nameservers, therefore there is a certain minimum enforced. Please note that this minimum TTL requirement only applies to the NS records.

It is possible to debate as to what precisely the minimum value should be, but experience in recent years suggests that these values should only be lowered from rather high defaults if some changes are planned. According to RFC1912 :

  "Popular documentation like [RFC1033 ] recommended a day for the minimum TTL,
   which is now considered too low except for zones with data that vary regularly.
   Once a DNS stabilizes, values on the order of 3 or more days are recommended.
   It is also recommended that you individually override the TTL on certain RRs
   which are often referenced and don't often change to have very large values
   (1-2 weeks). Good examples of this are the MX, A, and PTR records of your
   mail host(s), the NS records of your zone, and the A records of your nameservers."

and according to RFC1030 :

  "Most host information does not change much over long time periods. A good way
   to set up your TTLs would be to set them at a high value, and then lower the
   value if you know a change will be coming soon. You might set most TTLs to
   anywhere between a day (86400) and a week (604800). Then, if you know some
   data will be changing in the near future, set the TTL for that RR down to a
   lower value (an hour to a day) until the change takes place, and then put it
   back up to its previous value."

A recent study on DNS performance concludes that

  "It is not a good idea to make the TTL values low on NS records, or
   for A records for name servers. Doing so would increase the load on the root
   and [g]TLD servers by about factor of five and significantly harm DNS scalability."

from DNS Performance and the Effectiveness of Caching by Naeyeon Jung, Emil Sit, Hari Balakrishnana and Robert Morris ACM Transactions on Networking, Vol. 10, NO. 5 October 2002.

This applies to all TLD servers, both gTLD- and ccTLD-servers as well as to the root servers.

Also see news article ISNIC published on the matter.


Why did ISNIC require PTR records on nameservers?

Note: As of november 2017 ISNIC does not require PTR records on nameservers.
The delegation requirements for .is domains were decided on by the .is community many years ago. One of the primary goals was that the .is domains would only be delegated to properly set up and properly managed nameservers. Statistically, the owners and operators of such nameservers have had no problem satisfying the PTR record requirement. This requirement makes various DNS abuses harder to achieve using .is domains (such as poisioned glue records, double-flux domains and others). This requirement originates from the same sentiments as a similar requirement on mailservers - which is now more-or-less universal as a method to reduce the risk of various kinds of misuse.

Of course there will be nameservers that are properly managed, but their operators decide not to correctly deploy PTR record sets. And there will be nameservers that are badly managed but with correct PTR records. However, the intent here is to increase the level of trust in the nameservers to which .is domains are delegated. Thus, the .is requirements apply to all and no provision is made for exceptions.

While RFC1912 "Common DNS Errors" is not a standards track document, ISNIC decided long ago to adopt many of it's recommendations as part of ISNIC's delegation requirements for .is domains.

From RFC1912 (Common DNS Errors):

  "Make sure your PTR and A records match.  For every IP address, there
   should be a matching PTR record in the in-addr.arpa domain.  If a
   host is multi-homed, (more than one IP address) make sure that all IP
   addresses have a corresponding PTR record (not just the first one).
   Failure to have matching PTR and A records can cause loss of Internet
   services similar to not being registered in the DNS at all.  Also,
   PTR records must point back to a valid A record, not a alias defined
   by a CNAME."

From RFC2181 (Clarifications to the DNS Specification)

  "10.2. PTR records

   Confusion about canonical names has lead to a belief that a PTR
   record should have exactly one RR in its RRSet.  This is incorrect,
   the relevant section of RFC1034 (section 3.6.2)  indicates that the
   value of a PTR record should be a canonical name.  That is, it should
   not be an alias.  There is no implication in that section that only
   one PTR record is permitted for a name.  No such restriction should
   be inferred."

Why does ISNIC require TCP connectivity to nameservers?

According to RFC5966 :

"....any DNS server needing to send a UDP response
 that would exceed the 512-byte limit is for the server to truncate
 the response so that it fits within that limit and then set the TC
 flag in the response header.  When the client receives such a
 response, it takes the TC flag as an indication that it should retry
 over TCP instead."

And in section 4 of RFC5966 states:

"All general-purpose DNS implementations MUST support both UDP and TCP
 transport.

  o Authoritative server implementations MUST support TCP so that they
    do not limit the size of responses to what fits in a single UDP
    packet."

Accordingly, ISNIC requires nameservers hosting ".is" domains to support queries over TCP.


How do I delete my .IS domain?

To delete (deregister) your ".is" domain, you begin by logging on to the ISNIC web using your NIC-handle on "My page" you click "Domain delete" under drop down list domain. Select the domain(s) you wish to delete and click Submit.

Please note that the domain's registrant (or administative contact) will receive e-mail from ISNIC asking them to confirm this action. If no confirmation is received within three days, the domain will remain registered.

If the domain's renewal fee is not received by ISNIC by the expiration date of the domain, the domain will be disabled, and deleted after a 30 day grace period.


Under what circumstances would ISNIC close or delete a .IS domain?

Closing a ".is" domain based on domain's usage (e.g. content of a website pointed to by the domain, e-mail content sent to or from the domain and so on) can be requested by a formal court order from an icelandic court, or a request from relevant icelandic authorities. ISNIC can also decide to close a domain by referring to article 10, chapter 2 of the ISNIC registration rules.

ISNIC is not responsible for the registrant's usage of his/her domain. It is ISNIC's duty and prime function to maintain uninterrupted service to all ".is"-domains and be sure that the registration information of a domain is correct so that the current registrant for a domain can always be identified.

Other than that, there are three reasons for closing a domain:

  1. non-payment of the domain's fees,
  2. the domain's technical setup is not according to ISNIC's requirements for extended periods,
  3. if ISNIC considers the registration information wrong or incomplete.

Note that it is at ISNIC's sole discretion wether the information provided about the registrant is adequate or not. Once a domain has been closed (put on hold) due to incomplete registrant information, ISNIC reserves the right to ignore any further attempts by the registrant to correct the registration.


What happens to domains that are not compliant with the ISNIC technical requirements?

If the monthly test reveals that a domain does not comply with ISNIC's requirements, the following Misconfigured Domain Parking is initiated:

  1. Warning e-mails are sent weekly to the domain's contacts. First only the zone contact but eventually zone, tech and admin contacts and finally the registrant is added.
  2. If the problem persists for 8 consecutive weeks, the domain is suspended: it is marked inactive in the registry and its DNS records are removed from the ".is" zone file
  3. After the domain has been put on-hold it will be tested daily and activated if found to comply with the requirements.
  4. After another 30 days the domain is moved to the ISNIC parking servers (the DNS server settings for the domain are changed).

If the domain setup is brought into compliance (issues are resolved) before the domain is transferred to the ISNIC parking servers, the domain will be re-listed in the ".is" zone automatically and no further action need be taken.

If the domain setup is brought into compliance (issues are resolved) after the zone has been moved to ISNIC's parking servers, then one of the domain's contacts will need to use this website to redelegate the domain to the correct name servers.


How do I change billing contact on my domain?

You must begin by logging in to the ISNIC web using your NIC-handle and password. Next go to "My page", there select "Change contacts" under drop down list domain. Select domains that you want to change, enter contact NIC-handle to billing field and click "Submit" to submit changes.

Note: How do I change my domain contacts?


How do I activate a contact object's NIC-handle?

When a contact object (registrant, admin, technical or billing contact) is registered with ISNIC an e-mail is sent to the registered e-mail address requesting that the contact (person or other) confirm their willingness to register, and the validity of the e-mail address. This e-mail contains an URL that must be followed to activate the NIC-handle.

Alternatively, the NIC-handle can be activated by setting a password. Visit here and type in your NIC-handle and then select the "Lost password" link.


How do I manage notifications?

Step 1

Login to your account at isnic.is.

Step 2

Go to My settings and select Notifications.

Step 3

Switch the toggle button on or off to enable or disable notifications.


How do I transfer a domain name from one registrant to another?

A domain can be transferred from one registrant to another via the ISNIC web interface.

Step 1

Login to the current registrant’s NIC-handle on isnic.is.

Step 2

Go to My page, click on Domain and select Registrant Transfer from the drop-down list.

Step 3

Select the domain/s you want to transfer and type in the NIC-handle of the new registrant in the column below. The new registrant must have a valid NIC-handle. If they do not, they must register a contact and obtain a NIC-handle for the domain to be transferred to.

Step 4

The current registrant must confirm the change of registrants by following a link in an email sent to the registrant’s email address and clicking on Confirm to confirm the change of registrants. Note that you must be logged in as the current registrant when you follow the link, or login to the registrant's NIC-handle after following the link in the email, for the confirmation button to appear.

If the domain's current registrant does not have a confirmed e-mail address, the domain's administrative contact will receive the confirmation email to confirm the request.


How do I transfer a domain from one registrar to another?

ISNIC does not operate a registry/registrar model. The registrants (or their representatives) interact directly with the .is registry. Each domain has up to four contacts with varying degree of control over the registration. (See Why are there multiple contacts?) The registration management is transferred by changing some or all of these contacts. See also How do I change nameservers on a domain? (Point to another hosting provider).


What does "Registration verified by ISNIC" mean?

If a registrant or contact supplies ISNIC with an Icelandic national identification number ("kennitala") when registering a domain or a contact, ISNIC sets the name according to the national registry. If the contact selects to synchronize their address with the national registry as well, ISNIC will set the address in the WHOIS database to the offical address in the national registry. In this case the Registration Certificate published by ISNIC will contain the sentence "Registration verified by ISNIC" - Example.


Where can I find invoices?

Account statements and invoices are accessible on My page, logged in as the domain's billing contact.

Step 1: Login

You can use Ice Key login (Íslykill) of a company. See instructions on how to login here.

Step 2: Account statement

Go to My page, click on Payments and choose Invoices from the drop-down list.

Choose the time period that you want to get invoices for and click on Submit or Submit sid. to receive the account statement for all NIC-handles registered on the kennitala, if they are more then one.

Step 3: Open invoices

Open the downloaded PDF file and click on the blue-colored SR-numbers in the account statement to open each invoice on PDF.


How do I login?

Lookup your domain on our main page to see the registered contacts. If you have lost your password you can :

  1. Use "lost password" to reset the password through e-mail.
  2. If the e-mail is unavailable, use "lost password" with the SMS option to reset the password via a registered mobile number.
  3. If the contact has a kennitala you can use island.is login.
  4. Otherwise you need to fill out a form.

I turned on two factor authentication but lost the key, how do I login?

For a contact with an icelandic kennitala it is easiest to use island.is login.

Otherwise fill out "Change contact authentication information" form and ISNIC has to verify the contact and for that service ISNIC charges a fee (see prices).
Note: for this to be possible at all, the contact's registration information must be as accurate as possible.


What does a "corresponding non-IDN domain" mean to a IDN domain?

The corresponding non-IDN domain is constructed from the IDN domain according to the following table:

 þ -> th   á -> a    í -> i
 æ -> ae   é -> e    ó -> o
 ö -> o    ý -> y
 ð -> d    ú -> u

Can I become a .IS registrar?

ISNIC does not have any official registrars. The registrants have direct access to the ".is" registry and deal directly with the registry. Anyone can host ".is" domains as long as their nameservers meet ISNIC's technical requirements, and the domains zone as set up on those nameservers meets ISNIC's delegation requirements.

A DNS hosting provider that agrees to host ".is" domains for their customers, needs to register their nameservers with ISNIC, see "How do I register my nameservers with ISNIC?", and make sure they are willing to meet ISNIC's delegation requirements.

A DNS hosting provider can additionally apply for status as a registered ISNIC DNS Service Provider (DNSP/ISP) for ".is" domains. DNSPs have additional control and access. Please see the application forms for the terms and conditions of such registration.

ISNIC offers EPP access to everybody that have shown competency against our development environment.


What is a DNSP or ISP?

A registered DNS service provider (DNSP) is a provider that has registered with ISNIC as such and is willing and able to host ".is" domains according to ISNIC's technical delegation requirements. The DNSP is listed with ISNIC, and has access to the DNSP portal on the ISNIC web.

Note: This status is not needed to register nameservers. See How do I register my nameservers with ISNIC?.

Note: ISNIC registered DNSPs used to be called ISPs. The name was changed to clarify what kind of hosting services they provide (DNS hosting, as opposed to web- or e-mail hosting).


What is a parked domain?

Domains can be parked, i.e. temporarily delegated to a special set of parking nameservers. A registrant may park a domain if e.g. the zone is not ready at the time of registration or the production nameservers have gone offline for a long period of time and the domain is in danger of being deleted.

While a domain is parked it will not receive any e-mail and no websites will be active. If you choose to park a domain you select the option "Parking" from the DNSP's dropdown list. The registrant can park or unpark a domain at any time (via the ISNIC web -- see How do I change nameservers on a domain? (Point to another hosting provider)).

Domain parking is a free service.


How do I create e-mail for my domain?

If you need e-mail services for your domain, you must contact a service provider which can accept e-mail on your behalf. You need to establish such services before you can change the MX records for your domain.

If you do not have DNS services for your domain, you can configure DNS records for e-mail using ISNIC DNS Hosting. See How do I add DNS records?


What is Web Forwarding?

Web Forwarding is when a visit to a domain is redirected towards a different URL.

To activate Web Forwarding, you delegate your domain to ISNIC DNS Hosting, (see How do I add DNS records?). On the domain's settings overview page you can find Web Forwarding and add a complete URL in the column Complete URL.

Adding a CNAME record for www is an option, but if not added, it will be added automatically for you, directing at @.

You can also enter a URL or a server name. Valid URL's are for example: https://www.isnic.is and https://www.isnic.is/en/faq.

Web Forwarding does not handle HTTPS and the ones that need HTTPS should contact their web hosting provider for forwarding service.

See also: How do I add DNS records?


Why is there no cookie notification?

Informed consent of cookie usage is not required if cookies are important for the working of the website and is not used for other purposes, or if a first-party cookie is used for the web chat. Cookie usage on ISNIC's website is first party and is important for the working of the website.


Connect domain to Microsoft 365

The following instructions are made for those who want to use ISNIC’s DNS service to connect their domain to Microsoft 365. The instructions do not apply if a domain is setup on nameservers of a 3rd party DNS hosting provider.

Step 1: Set up Microsoft 365

In the Microsoft 365 setup page, Microsoft recommends using a TXT record to verify your domain. The TXT record usually looks something like this: MS=ms12345678 (the numbers are variable). Copy the record and go back to ISNIC’s page.

Step 2: Set your domain up on ISNIC’s nameservers

Login to isnic.is, go to My page and click on the icon under Control Panel in the domain table. In the Control panel you click on Redelegate under Nameservers. There you choose ISNIC DNS Hosting and click on Submit. Now your domain will be setup on ISNIC’s nameservers, it could take up to 10 minutes.

Step 3: Add DNS records

a. When the domain has been setup on ISNIC’s nameservers, you can add the DNS records from Microsoft to your domain. Go back to the Control Panel for your domain and click on Change under ISNIC DNS Hosting. On the DNS page, you choose Microsoft 365 from the drop-down list on the top of page and the DNS records from Microsoft will appear.

b. Paste your TXT Verification code in the required field and click on Submit.

Step 4: Verify Microsoft 365

Go back to your Microsoft 365 setup page and click on Verify. Your domain will now connect to your Microsoft 365 account.


How do I add DNS records?

The following instructions are made for those who want to use ISNIC DNS Hosting. The instructions do not apply if a domain is setup on nameservers of a 3rd party DNS hosting provider.

ISNIC provides DNS hosting for .is domains. To be able to add DNS records to the domain, it must first be setup on ISNIC’s nameservers.

Step 1: Set domain up on ISNIC's nameservers

Login to isnic.is, go to My page and click on the icon under Control Panel in the domain table. In the Control Panel you click on Redelegate under Nameservers. There you choose ISNIC DNS Hosting and click on Submit. Now your domain will be setup on ISNIC’s nameservers, it could take up to 10 minutes.

Step 2: Add DNS records

When your domain has been setup on ISNIC’s nameservers, you can add DNS records. Go back to the Control Panel for your domain and click on Edit under ISNIC DNS Hosting. From there you can add new DNS records and edit existing records.

a) Add single DNS records

In the drop-down list on top you can choose Single DNS record. Choose the Type of DNS record you want to add and insert appropriate Name (Host) and Value (Data, Content) and click on Submit.

  • If a DNS record’s Name is left empty it will automatically be set as @ which will work as the domain’s root.
  • When adding a DNS record for www.yourdomain.is you only type “www” as the Name (host), not “www.yourdomain.is”.

b) Ready-made templates for common services

You can choose ready-made templates to add DNS records from popular mail services, website builders and hosting providers. Choose your service provider in the drop-down list and you’ll see the DNS records that will be added as well as those that will be removed, if any. Click on Submit to add the DNS records.


Changes to domains with a 3rd party DNS hosting provider

If your domain is hosted by a 3rd party DNS hosting provider and setup on their nameservers, you can add DNS records on their end but no changes are made through ISNIC.

It depends on the hosting provider how these changes are made, but the most common way is to login to the hosting provider’s website and add the DNS records through their interface. Contact your hosting provider if you have trouble adding the records to your domain.

If you’re not sure who your hosting provider is, you can see which nameservers your domain is setup on by typing the domain name in ISNIC's WHOIS Database


Connect domain to Squarespace

The following instructions are made for those who want to use ISNIC’s DNS service to connect their domain to Squarespace. The instructions do not apply if a domain is setup on nameservers of a 3rd party DNS hosting provider.

Step 1: Squarespace setup

The first step is to follow Squarespace's instructionsto connect a domain. When you see a picture of your DNS records from Squarspace, go to isnic.is.

Step 2: Set your domain up on ISNIC's nameservers

Login to isnic.is, go to My page and click on the icon under Control Panel in the domain table. In the Control Panel you click on Redelegate under Nameservers. There you choose ISNIC DNS Hosting and click on Submit. Now your domain will be setup on ISNIC’s nameservers, it could take up to 10 minutes.

Step 3: Add DNS records

a. When the domain has been setup on ISNIC’s nameservers, you can add the DNS records from Squarespace to your domain. Go back to the Control panel for your domain and click on Change under ISNIC DNS Hosting. On the DNS page, you choose Squarespace from the drop-down list on the top of the page and the DNS records from Squarespace will appear.

b. Squarespace provides you with a Name (host) for a CNAME record with the Value (data) verify.squarespace.com. Copy the Name and paste it in the required field and click on Submit.

Step 4: Confirm

When all the DNS records from Squarespace have been added, you can click on the Refresh button on your Squarespace site, where your DNS records are shown. Your domain will now connect to Squarespace.


Connect domain to Google Workspace

The following instructions are made for those who want to use ISNIC DNS Hosting to connect their domain to Google Workspace. The instructions do not apply if a domain is setup on nameservers of a 3rd party DNS hosting provider.

Step 1: Set up your Google Workspace account

First you sign up for Google Worspace and go through the first steps in their setup process. When you see a MX Verification code, copy the code and go to ISNIC’s page.

Step 2: Set domain up on ISNIC's nameservers

Login to isnic.is, go to My page and click on the icon under Control Panel in the domain table. In the Control panel you click on Redelegate under Nameservers. There you choose ISNIC DNS Hosting and click on Submit. Now your domain will be setup on ISNIC’s nameservers, it could take up to 10 minutes.

Step 3: Add DNS records

a. When the domain has been setup on ISNIC’s nameservers, you can add the DNS records from Google to your domain. Go back to the Control Panel for your domain and click on Change under ISNIC DNS Hosting. On the DNS page, you choose Google Workspace from the drop-down list on the top of page and the DNS records from Google will appear.

b. Paste your MX Verification code in the required field and click on Submit.

Step 4: Activate Gmail

Go back to your Google Workspace setup page and click on Activate Gmail. Your domain will now connect to your Google Workspace account.


Connect domain to Google Sites

The following instructions are made for those who want to use ISNIC’s DNS service to connect their domain to Google Workspace. The instructions do not apply if a domain is setup on nameservers of a 3rd party DNS hosting provider.

Step 1: Setting up Google Sites

First you need to create Google Sites page and access it's settings . There you choose Custom domains, click Start setup, and enter www and your domain (e.g. www.yourdomain.is ).

Step 2: Validate your domain: get the code

A link asking you to "verify your ownership" appears if your domain hasn't been validated. Click it. There you must choose Domain name provider : other and copy the code displayed on their page and looks similar to: google-site-verification=gwF5euksRmSXEwRdq7A04kuFFkZbVJweB6j0nE6iJQl

Step 3: Delegate your domain to ISNIC's nameservers

Login to isnic.is, go to My page and click on the icon under Control Panel in the domain table. In the Control panel you click on Redelegate under Nameservers. There you choose ISNIC DNS Hosting and click on Submit. Now your domain will be setup on ISNIC’s nameservers, it could take up to 10 minutes.

Step 4: Validate the domain
a) Insert the code into ISNIC's interface

When the domain has been setup on ISNIC’s nameservers, you can add the DNS records from Google to your domain. Go back to the Control Panel for your domain and click on Change under ISNIC DNS Hosting. On the ISNIC DNS Hosting page, you insert a single DNS record with type: TXT, host: www and copy and paste the code from step 2 in the large text field. Click the "add" button.

b) Run validation at Google

Now go to the Google page and click the Verify button. By doing that Google checks if it finds the TXT record with the correct code and host.

Step 5: Add the domain at Google

Go back to the Google page's settings , choose Custom domains and Start setup. Enter the domain and click next.

Step 6: Connecting the domain to the website
a) Remove the validation code

In DNS settings of the domain at isnic.is you will need to remove the validation code. Click the button next to the validation code which you entered before. Then click the button.

b) Connect the site to www

On the ISNIC DNS Hosting page, you insert a single DNS record with type: CNAME, host: www and put ghs.googlehosted.com. into the big text field. Click the "add" button.

c) Forward the domain to www

Now typing the domain prefixed with www into browser works, but not if www is missing. In order to fix that you can use our Forwarding service. Copy the URL that works. On the ISNIC DNS Hosting page you can select DNS templates: Forwarding, URL redirecting, and enter the URL that works (e.g. https://www.yourdomain.is/) and click "Submit".

The domain is now connected to your Google Sites via www, and anyone that enters your domain without www in the browser will be forwarded to the domain prefixed with www.


Connect domain to Shopify

The following instructions are made for those who want to use ISNIC DNS Hosting to connect their domain to Google Workspace. The instructions do not apply if a domain is setup on nameservers of a 3rd party DNS hosting provider.

Step 1: Set domain up on ISNIC's nameservers

Login to isnic.is, go to My page and click on the icon under Control Panel in the domain table. In the Control Panel you click on Redelegate under Nameservers. There you choose ISNIC DNS Hosting and click on Submit. Now your domain will be setup on ISNIC’s nameservers, it could take up to 10 minutes.

Step 2: Add DNS records

a. When the domain has been setup on ISNIC’s nameservers, you can add the DNS records from Shopify to your domain. Go back to the Control Panel for your domain and click on Change under ISNIC DNS Hosting. On the DNS page, you choose Shopify from the drop-down list on the top of the page and the DNS records from Shopify will appear.

Step 3: Change Shopify settings

According to Shopify's instructions, you go to Domains under Settings and click on Connect existing domain. There you type in your domain name and click on Verify connection. Now your domain will connect to Shopify.


Connect domain to Wix

The following instructions are made for those who want to use Wix's nameservers. Note that if your domain is already setup on different nameservers, that connection will be lost when you make the change.

Step 1: Set domain up at Wix

Login to your Wix account and follow Wix's instructions. Under Domains you'll find Add An Existing Domain and click on Connect a domain you already own. Follow Wix's instructions on to step 2.

Step 2: Find Wix's nameservers

Step 2 in Wix´s instructions is logging in to your domain host provider, which is ISNIC in this case. Click on I logged in, then click on I found my domain settings and I found the nameservers. Copy the nameservers provided by Wix and Log in to your account at isnic.is.

Step 3: Connect the domain to Wix

Go to My page, click on the wrench icon under Control panel for your domain in the domain table. Click on Redelegate next to Nameservers Under Nameservers you'll enter the first nameserver into Primary nameserver and the second Wix nameserver into the second text input and click on Submit.

On Wix's page you can click on I’ve replaced my nameservers and your domain should connect to your Wix site.


What does strong customer authentication missing on a payment card mean?

Transactions for payment cards, put into storage with ISNIC before law about payment service, nr. 114/2021 (the PSD2 directive from the European Union) was put into effect, can be denied. The solution is to delete the card from the ISNIC storage and put it back again.


Bluehost January 2016 problems with ns2.bluehost.com

Late December 2015, issues with ns2.bluehost.com triggered automatic notice to .is Registrants. The nameserver doesn’t respond to DNS queries.

Bluehost says this is part of a DDoS protection, and that it’s being repaired, and that there is no known ETA of a fix, and that customers should use 3rd party DNS servers and point to their Bluehost IP Address (in the interim or instead).

ISNIC deactivates domains which have a broken DNS configuration after 8 weeks.


DNS Moving to Cloudflare?

After a recent problem with Dyn.com (search news stories for “DDoS against Dyn DNS”), several big DNS providers took additional precautions with one or more of their primary DNS servers. This includes moving them so that they are not hosted by *one* provider. This is generally a good thing and ISNIC has promoted operating your DNS servers on separate IP Networks, and separate AS numbers for resilient operations.

Some providers have moved their services to Cloudflare – which should be fine – however, some of them haven’t yet gotten their PTR RRs (Resource Records), also known as Reverse DNS, into the appropriate in-addr.arpa zone.

Cloudflare does know how to operate DNS services, and they do know how to add PTR RRs. As to why they’ve not applied them to these services are reasons unbeknownst to ISNIC. You must contact your DNS provider and ask them!

If they say all is well, use the ISNIC Zone Check – and forward the results to your provider. If they still continue to claim all is well, ask for better support – and someone who knows what “in-addr.arpa” means (and don’t think it’s an URL…)

If your DNS provider is Bluehost, ask them what this means:

dig -x 162.159.24.80 +trace # results in a loop, which ends in:

24.159.162.in-addr.arpa. 86400 IN NS ns2.cloudflare.com.
24.159.162.in-addr.arpa. 86400 IN NS ns3.cloudflare.com.
;; BAD (HORIZONTAL) REFERRAL
;; Received 209 bytes from 162.159.0.33#53(ns3.cloudflare.com) in 41 ms

(162.159.24.80 is the IP Address of ns1.bluehost.com, which is now hosted by Cloudflare)

If you continue to receive notices or information from Bluehost that your domain isn’t OK, move your DNS services away from Bluehost, since they no longer support .is domains for a period of more than 6 weeks (the counter in the e-mail from ISNIC should not exceed 8!) then you must take action.

ISNIC has been in contact with DNS specialists from Bluehost and Cloudflare – which should resulted in appropriate repairs (29th Nov). However, from 27th January we’ve received information that this has happened again. And PTR errors were resolved by Bluehost on 14th march 2017.

Bluehost has also recommend the A RECORD solution – since they will not support .is domains in their DNS solution.

If you have issues, and Bluehost suggest A RECORDs, then you can go to www.isnic.is and in “Web Forwarding” enter the IP Address provided from Bluehost for your server (ping your domain may reveal this) – this will make ISNIC’s Web Forwarding service act as DNS Provider for your domain. If you also have e-mail active for your domain make sure to enter the correct mail server name! If Bluehost is also your mail server host, then you just type in your domain name in the mail server field.


G Suite and domain verification

The following instructions are made for those who do not have DNS hosting for their domain and want to use ISNIC’s forwarding service to connect to G Suite in accordance to Google’s help page.

G SUITE

Log in on isnic.is, select your domain and click web forwarding. Under advanced settings you will find Mail Server (MX). According to Google’s help page the value you write in the mail server field is ASPMX.L.GOOGLE.COM. You will need to enter any valid URL or IP address in the top field, that could be another domain you already own.

DOMAIN VERIFICATION

You can use the TXT method through ISNIC’s forwarding service to accomplish this. We assume you are still on the web forarding page from the instructions above, with advanced settings opened. Go to Google’s help page (Add a TXT verification record (any domain host)) about domain verification and find your unique TXT record. Note that the code includes “google-site-verification=” and then is followed by 43 random characters, see an example:

google-site-verification=wwifazIdB2QmF20KYwfPQfrD2RJkEiK9us5xobBk8i0

Put the entire text into the TXT record field on the web forwarding page. After the domain has been verified you can remove the TXT record from the web forwarding page.


Gmail and missing messages from ISNIC

If you do not see our messages, like password reset, and you use Gmail – check your archive folder or your “other” Gmail reader!

Gmail may be archiving the messages, please read this document regarding Gmail and archiving options – one of which will most likely be the reason for this behavior.

The direct URL to your archive folder is here.

You can mark or flag hostmaster@isnic.is as Very Important or assign it to the special folders in Gmail and indicate where this e-mail should go! Remember this applies to any and all messages which Gmail is sorting in this manner and is most definitely not only relevant to ISNIC!


Google verification for .is domains

Google Apps work very well with .is domains. However, you must go through some steps, with Google, to verify that you manage your domain.

ISNIC gets requests about this – and they are actually intended for your DNS operator. Although ISNIC offers “Web Forwarding” as a quick method of getting your domain up and running, we’re not your Registrar, we are the .is Registry!

To follow Google’s instructions, available here – you can follow the HTML advice if you’re already running a website – but the TXT or CNAME instructions must be done with a DNS hoster.

See a list of DNS hosters/providers on the ISNIC website and note that you may find FreeDNS services from some of them (like x.is and 1984.is).

These information are informational only, and not meant as a suggestion or endorsement of any company mentioned here.


Squarespace and 3rd party DNS hosting

Your .is domain can easily connect to most website hosting providers by our simple web forwarding or using their name servers, but some providers such as Squarespace require more. This guide will use Squarespace as an example of how to use 3rd party DNS hosting.

SET UP YOUR DOMAIN

First step is always to set up the domain on the webhost’s site. Look at Squarespace’s help page, starting from step 1.

DNS HOSTING

After setting up the domain we need to find a DNS provider; here is a list of popular providers. You can find number of free DNS with any search engine. Note that your provider does not need to be an official provider on ISNIC’s website.
Setting up the domain on the DNS provider’s website varies greatly. Normally you will have to create an account and set up a new domain, they may want to sell you a domain, but just select to set up a domain.

Start by removing any A records if there are any, then add a new DNS record with the following setup.

Type: A
Host: @
TTL: use default value (common values are 3600 and 86400)
Points to: (copy IP to here)

Do this for each A record your website provider requires. Use Squarespace’s help page to see all 4 A records they require and get the IP addresses.
When all A records have been set up in accordance to your webhost’s requirements you will do the same as above but with CNAME records, making sure the fields are correctly filled out in accordance to your webhost’s instructions.

REDELEGATE YOUR DOMAIN TO THE DNS HOST

Log into your relevant isnic.is account, select your domain, click redelegate, and either pick the service provider from the list of providers or enter the name servers manually.

FINISH

You may need to wait some time, but Squarespace provides you with a tool (described in step 8 of their help page) to see if they have received updated information about the domain. After putting the domain on queue for redelegation you may want to hit that refresh button every half an hour.


The IPv6 digital dilemma

We are now entering the time of permanent IPv6 presence. 6th june is ‘IPv6 Launch Day‘ and following this, we’ll expect quite a large number of companies enabling IPv6 on their services, lots of ISP’s will make IPv6 available to their customers and you need to ask now, are you ready to accept the new and improved, the unknown and available, secure and open network standard now, later or never?
My first impression of IPv6 after reading some material was, ‘yes and no’, and it still is. I’ve made steps to improving my setup, I’ve tested and tested and still remain hesitant because I cannot suggest to anyone, neither home users or companies that they implement IPv6 now… But if your decision is to try and test, I can make some suggestions…
Whatever they say about stuff included with IPv6, IPsec, protocol differences etc., remember it’s only as secure as your least secure item on the network – so find your lowest common denominator and figure out how you’ll apply security and some will find easy ways of doing monitoring and auditing, while others will quickly notice that they’ve got none at all.
Lots of users will have hands on experience with their loggers, Event Viewer, syslog, console log etc. But there will be new issues with IPv6. My immediate realization and my experience:
  • Mostly not reading the log *all the time* and missing most stuff… for my parts, it’s ok since it’s mostly firewalled and ACL’s in the appropriate location
  • Firewalls and AntiVirus apps, not knowing anything about IPv6
  • IPv6 traffic which *I* don’t know anything about, like toredo tunnels and others (HE.NET, Freenet…)
  • Services defaulting to IPv6 servers with variable reliability and added delays, DNS issues with PTR records, hosts.allow messed up, all accurate responses to unexpected queries and traffic
Several accidental issues popped up after IPv6 enabled services where introduced, i.e. the service is implemented and tested and the AAAA record is added to the DNS and the service starts to popup *and failing*, why?
  • Routing and response issues, local firewall not accepting the new traffic. The new traffic isn’t as easy as “tcp port X is opened, and we respond”, oh no, we’ve got to worry about advertisments and neighbour discovery and this will be your issue if you’ve got rogues on your network because you’ll have to trust your neighbours or use software and correct configuration to ensure your traffic is secure. After configuring neighbour discovery and accepting the correct packages from the router, traffic starts to flow and ACL’s drop traffic again.
  • IPv6 addresses in ACL’s are commonly wrapped with []’s and the subnet mask *following*, i.e. [2001:470::]/32 (Hurricane Electric).
  • IPv6 isn’t correctly supported on all operating systems. Our users had MacOSX Leopard, which had problems with manual configuration and Snow Leopard which doesn’t correctly allow neighbour advertisments with ip6fw unless you strip PowerPC code from the binary…
  • On any network with a router advertisment daemon, any linux, MacOSX and many Windows Vista and all Windows 7 machines will popup with and IPv6 address. Windows XP machines shouldn’t do it unless specifically enabled.
  • Operating Systems *don’t* block IPv6 traffic by default. Your firewall may be *oblivious* to IPv6 traffic. You may have services which are enabled, fully protected on IPv4 – but they’ll be visible on IPv6 and may be hacked, even if they *are* the secure services. Do you watch your laptop or work machine for attempts to authorize users, the SSH daemon or SMB/CIFS services? Usually we just *block* access to authentication services but there are always servers which will allow this and if you don’t start dropping connections, you may be opening up a system for infinite hack attempts on generally secured services.
If you think you’re part of a network which is *too large to scan* – because your smallest network is 64 bits large, and your machine or server is hidden somewhere – remember many devices are servers, and will present AAAA records and PTR records may give away some information. A local machine will be able to discover the neighbours, so your immediate danger of ‘scanning’ is already a part of your neighbourhood. Also, this is all about discovery and when you start accessing services, you’ll start to leave your footprints and your digital fingerprint will be all over the internet and a port scanning device, sniffer or data mining tools will start collecting IPv6 addresses and information. Remember that the default setup for router advertisments will use your network cards MAC address (ethernet address) and when you move to a new network, you’ll already carry a identifier which can be datamined. IPv6 does have some methods of randomizing your IPv6 address for security. This will of course make it more difficult to maintain AAAA and PTR records and some services will refuse connection from addresses missing the PTR records or have a mismatch between AAAA and PTR (RFC931).
One contingency plan was to make the address space enourmously large, but it will be filled. Several vendors, users and companies will simply make lots and lots of networks, spend their CPU cycles in routing and ACL’s for a simpler setup, but it’s not a good solution. It’s an situation where a secure webserver may be hosted in a dedicated /64 network because we can’t as yet break it down to /120 and then manage that by ACL on the routing level BUT we can do it on a local level – if you implement strict policies, know your devices and have trustworthy management and auditing, but it’s a management nightmare which needs solutions. There will be many views on how to implement security and they are all important because security will be required.

 

My suggestions?
  • If you have a System Administrator, make sure he’s up to date, and that he’s met IPv6 people and knows what’s what.
  • If you don’t have a System Administrator, get advice – should you do it and how.
  • Get into the habit of audit and monitoring, free tools include ntop and cacti
  • Realize that there are holes which you cannot cover, since they may be your published application
  • Backup, backup and backup
  • Your system may be viable for separating services and users, this will make ACL’s and firewalls manageable… sort of
  • Remember your digital footprint. You may want to reduce it and if so, use the privacy extensions but it’s an addon to security, it’s not “the security”
  • Because native IPv6 will create a direct connection between nodes, each node should include security of some sort. Although you can implement a firewall on your routers, it’s not a solutions but an interim fix while you apply your internal IPv6 deployment and solve your internal issues.
Björn R. (My opinions are my own)

WIX DNS Services

If you are moving your web or DNS to WIX, but it fails through the ISNIC web – it’s possible the WIX nameservers haven’t been registered with ISNIC.

It’s ideal if WIX registers their nameservers with ISNIC, but the Zone Contact for WIX is EP29-IS (ISNIC NIC handle).


Leave a message and we will reply as soon as we can.
1+3:

Message received

Webtree
To top