Frequently Asked Questions

Domain registration

Contact registration





Can a foreigner register a .IS domain?

Yes, you can register a ".is" domain!

For further information see Domain Registration in ISNIC's rules.

How do I register a .IS domain?

If you have your own nameservers, you must have configured the domain and the nameservers must be registered with ISNIC. If you do not have any nameservers yet, you can park your domain with ISNIC until you have decided on where to host your domain.

See "Domain->Requirements" and "Nameserver->Requirements".

You must also have available the NIC-handles of the domain's contacts, and you yourself must be logged in via "Contacts->Login".

If contact handles are unavailable, you must first register the contacts (and/or yourself) via "Contacts->Register" on the left.

Once logged in, proceed to the registration page ("Domains->Register") and follow the instructions. Your application will be queued, pending payment of registration fees.

Note that you have two days to remit the fee, after which the application expires and must be resubmitted if payment is made. Payment can be made on-line using the login information of the Administrative contact or Billing contact of the domain.

How do I check if the domain I want is available?

All ".is" domain's are registered in the ISNIC domain registry and their registration information is available via the ISNIC web. However, the registration WHOIS lookup is rate-limited and does not include pending domains.

If you want to do this in a program use EPP check:domain or RDAP domain availability check. These lookups are rate-limited at 7200 queries per 30 min.

What is the role of the domain's administrative contact?

Usually, a domain's adminstrative contact is simply the registrant. If the registrant wants someone else to have full change-control over the domain, a third party can be appointed administrative contact.

Please note that the admin contact has full, web-based control of the domain, including the ability to transfer the domain to a new registrant. It is the registrants responsibility to ensure that proper contracts exist between a third-party administrative contact and the registrant.

Why are there multiple domain contacts?

Domains can have up to four different contacts (NIC-Handles) in addition to the registrant. Each contact serves a different role and holds different change-authority over the domain. The contacts and the registrant use their NIC-Handles to log into the ISNIC web to modify their own, and their domain's registration.

Note that each contact can change their own registration information, but only the domain's registrant and administrative contact can change the domain's contacts.

  1. The Registrant (R) has full change-control over the domain, if the registrant contact has been activated (see How do I activate a contact object's NIC-handle?). The registrant can change all aspects of the domain's registration, including transferring the domain to a new registrant and deleting the domain.
  2. The Administrative Contact (AC) has full change-control over the domain and exercises this control on behalf of the registrant. The AC can change all aspects of the domain's registration, including requesting the transfer of the domain to a new registrant or deletion of the domain. Transfers and deletes require registrant approval if the registrant is an active contact. If the registrant decides to delegate all management of the domain to a third-party, that party should then be registered as the domain's administrative contact (see What is the role of the domain's administrative contact?). The AC can withdraw their services and the registrant will then automatically become the AC.
  3. The Technical Contact (TC) handles the technical aspects of domain management, it's DNS hosting, web hosting etc. The TC is most often with the domain's network provider. The registrant or the administrative contact can substitute the TC for a new one. The TC can withdraw their services and the AC will then automatically become the technical contact.
  4. The Billing Contact (BC) is the recipient of the domain's billing information. The domain's invoices are addressed to the BC. Most often the BC is the registrant himself. The domain's R and AC must make sure that the appropriate party is registered as the domain's BC at all times. Only the R and AC can substitute the BC for a new one. The BC can withdraw his services and the registrant will then automatically become the billing contact. Bills are never re-issued to the new BC. Upon request, a receipt will be issued to the new BC after the domain's fees have been paid.
  5. The Zone contact (ZC) is the technical contact for the domain's nameservers. The ZC owns the domain's master nameserver and is responsible for the domain's compliance with the .is technical delegation requirements. The ZC must be willing and able to configure the nameservers according to these requirements. The ZC is automatically updated when the domain is redelegated to a new set of nameservers.

The same party can perform all these functions, i.e. the same NIC handle can be registered as the domain's R, AC, TC, BC, and even ZC. However, if they are not the same, the set of available operations depends on who is logged in to the ISNIC portal according to the following table:

Operation                              R     AC      TC      BC     ZC

Modify Registration                  Yes    Yes     Yes     Yes     No
Registrant Transfer                  Yes    Yes(&)   No(&)   No(&)  No
Substitute Contacts                  Yes    Yes      No(+)   No(#)  No
Renew registration (BC is not DNSP)  Yes    Yes     Yes     Yes     No
Renew registration (BC is DNSP)       No     No      No     Yes     No(~)
Redelegate domain                    Yes    Yes     Yes      No     No(*)
Modify DS records                    Yes    Yes     Yes      No     No(*)
Delete domain                        Yes    Yes(&)   No(&)   No(&)  No
Autorenewal (on/off) (BC is not DNSP)Yes    Yes      No     Yes     No
Autorenewal (on/off) (BC is DNSP)     No     No      No     Yes     No(~)
Resign as contact                     No    Yes(#)  Yes(+)  Yes(#)  No

+) AC and BC can withdraw their services (resign) R automatically
#) TC can withdraw their services (resign) AC automatically substituted.
*) ZC of domains hosted with a registered DNS hosting provider can
   redelegate and manage DS records.
&) TC and BC can request registrant transfers and deletions, R or TC
   must approve. AC can do registrant transfers and deletions if R is
   not an active contact.
~) All DNSP contacts can also renew the domain.

What about cost?

The annual renewal fee is €31.90. The first year fee (the registration fee) must be prepaid before registration can proceed.

What is Automatic Renewal

The registrant, admin- and billing contacts can register domains for automatic payments on the subscriptions page.

When domains are registered for automatic renewal, card will be charged for the annual renewal fee 45 days prior to the expiry date.

Registering your domain to self renewal can be done at checkout, by selecting "Use payment card", "store card" and "Automatic renewal using the selected payment method", next click "Purchase".

Registering your domain to self renewal can also be done at "My page". There you can click on this button for the domain you want to register for self renewal.

It is important to keep information in WHOIS correct for domains which are automatically renewed. Contact e-mail addresses are particularly important to keep current as receipts for those domains are only sent in e-mail.

What happens to domains that are unpaid on their expiration date?

If a domain remains unpaid on it's expiration date, ISNIC informs the domain's billing contact (and the domain's administrative contact) that the domain is about to be deactivated (put on hold). At 13:00 UTC the day after the expiration date, the domain is deactivated and removed from the ".is" zone.

The domain now enters a 30 day grace-period where the domain remains registered but inactive. During this period the registrant can reactivate the domain by paying the renewal fee. No further communications/warnings are issued by ISNIC during this period. If the domain fee has still not been paid after 30 days, the domain is deleted at 13:00 on the following day and made available for re-registration.

When are domains released for reregistration?

ISNIC can not provide definite information on when (exact date) a expired domain will be released for registration again. A ".is" domain that is not renewed by it's expiration date is put on hold (closed) at 13:00 UTC the day after its expiration date.

A domain on hold is not available for registration. The registrant now has 30 days to remit the registration fee, and if the registration fee is recieved by ISNIC the domain is reactivated. Please note that the registrant can explicitly delete the domain any time during these 30 days, making the domain available for registration immediately.

If the domain registration fee remains unpaid after 30 days, ISNIC deletes the domain at 13:00 UTC the following day, making it available for reregistration.

How do I modify my own or my domains registration?

Modifications are web-based. You must begin by logging in to the ISNIC web using your NIC-handle and password and select "My page". You will then get a list of domains and nameservers for which you are registered and over which you have change-control. Select the domain/nameserver you wish to modify and follow the instructions. Use "My Settings" for your NIC-handle. In cases where the NIC-handle is also a Registrant, changes will also be visible in the Whois form in relation to the Registrant of those domains.

How do I change the name of a contact object?

Names of contact objects can not generally be changed. You must register a new contact using the new name, obtain a new NIC-handle and use that to do a "Registrant Transfer" (if the registrant has changed names) or "Change contacts" on the relevant domains (selected on "My page").

Contact names of objects registered using Icelandic National Identity Numbers ("Kennitala") are automatically updated if a change is made in the National Registry (both for individuals and for corporations).

How do I resign as domain contact?

Contacts (billing, tech and admin) can resign from their associated domain. When they resign tech will become admin and billing and admin vill become registrant.

You must begin by logging in to the ISNIC web using your NIC-handle and password and select "My page". Then select ("Resign as contact") from domain drop down list. Select domains that you want to resign from and click "Submit".

Can I withhold publication of my registration data from the ISNIC whois database?

By default, most of the personal information on individuals (registrants and contacts) is withheld from publication. Note that the country is always published. You can decide to explicitly publish the rest of your information by going to "My settings" and toggle "Publish in WHOIS" to "Yes". Please remember that this only applies to individuals.
Note the circumstance's in Release of hidden Registration Data from ISNIC's Whois

Can I delete a contact from the ISNIC whois database?

Contacts are automatically removed if not used. But a contact can be removed if it is not used by a domain or a host. After the contact has been marked expired it will eventually be deleted. After a contact has been marked expired it will immediately be removed from ISNIC's public whois database. But if the contact logs in before it is deleted the contact will be reactivated. See the button Delete contact on "My Settings".

How do I change my domains zone contact?

The domains zone contact is the first (master) nameserver's technical contact. It is automatically modified, when the domain is redelegated to a new set of nameservers. The zone contact can thus only be changed by changing the technical contact of the domains current nameserver as registered with ISNIC, or by redelegating the domain to a different set of nameservers.

How do I change nameservers on a domain?

Moving your domain to a new DNS service provider (new set of nameservers) is web-based. Log on to the ISNIC web using your NIC-handle (you must use either the NIC-handle of the registrant, the administrative contact or of the technical contact). On "My page", click the wrench icon under Control Panel and click on Redelegate under Nameservers. There you can either type in the nameservers that the hosting provider has set your domain up on, or choose the appropriate DNS hosting provider in the drop-down list of registered DNS hosting providers at ISNIC and click on Submit.

Note that you can only move your domain to a new set of nameservers if the domain has already been set up on the new nameservers according the ISNIC's technical requirements. Please contact your prospective DNS provider (the operator of the new nameservers) if you experience problems/errors when trying to redelegate your domain. Please do not contact ISNIC in these cases as we can not modify your domain's configuration with your DNS provider.

A competent DNS service provider will understand these basic requirements and will not have problems setting up your domains, or explaining to you how you can use their systems to host ".is" domains according to these requirements.

What is DNSSEC?

DNSSEC is an extension to the DNS system which makes it possible to sign DNS records with a key (DNSKEY). Resolvers can verify that the authenticity of the responses. DNSSEC is defined in RFC4033 .

How do I activate DNSSEC for my domain?

First, the records in your domain have to be signed. For this you can use extensions to popular DNS software such as BIND or 3rd party solutions.

Once the records have been signed and the signatures published in the zone, the DS records for the keys have to be submitted to ISNIC for inclusion in the ".is" zone. To do that, you go to "Edit DS records", select the domain from the list and click "Edit DS records".

How do I check if my recursive nameservers are validating my answers?

All nameservers should be set up to validate their answers before giving them to their users. To test if your nameservers (i.e. the ones you are using to navigate the net) are validating try clicking on the following links:

How do I securely modify delegation records for a DNSSEC signed domain?

Special care must be taken when modifying delegation records of a DNSSEC signed domain. DS records that are published in the .is zone point to DNSKEY records in the signed domain, and if they are missing, validating resolvers will fail to resolve names in the domain.

To safely modify the delegation records of a DNSSEC signed domain, please follow these steps (we assume no access to the private key used to sign the zone. If there is access to the private key, it can simply be moved to the new nameservers along with the domain and be used to continue signing the zone):

  1. Transfer all domain records (then zone) from the old nameservers to the new nameserver, including DNSKEY records and sign it with the new key.
  2. Copy the new DNSKEY records to the old nameserver.
  3. Add a DS record with ISNIC correspondig to new KSK.
  4. Wait for at least 24 hours. This ensures all resolvers see the new DNSKEY and DS records.
  5. Re-delegate the domain to the new nameservers.
  6. After 24 hours delete the domain from the old nameservers and remove the old DNSKEY records from the new nameservers. Also remove old DS records from ISNIC.

Note: The "24 hour" recommendation assumes common TTL (time-to-live) settings. If you have configured longer TTLs for your zone, you may need to wait longer.

How do I register my nameservers with ISNIC?

It is important that nameservers are registered with ISNIC by the nameserver operator/owner or their technical representative. The nameserver's technical contact becomes the zone contact for all ".is" domains delegated to the nameserver and therefore must be whoever administers the nameserver. ISNIC contacts the domain's zone contact in case of technical difficulties with the nameservers and this contact must have proper access to the nameserver and be able to fix DNS-technical problems.

To register a nameserver you must have available the nameserver's intended technical contact handle (nic-handle). If that is not available the server administrator must begin by registering a contact object for the nameserver. Once you have obtained and activated the NIC handle assigned you can login to our site and proceed with the nameserver registration by clicking on "Register" under the "Nameservers" heading.

How does ISNIC validate the nameservers?

The only way to test a particular UDP service is to query the service that listening on the particular port. Thus the only way to test if a DNS server is running on UDP port 53 is to make a DNS query. As there is no way of knowing which zones are served by that host, so a query for the root zone NS records is made. A secondary query is also made, in case the root zone fails.

To verify that a nameserver is running, a reply is required. It can be any RCODE as long as some reply is sent. A timeout is not acceptable.

According to RFC1035 the RCODE should be one of those below: (RCODE names are from BCP42/RFC2929 )

SERVFAIL 2  Server failure - The name server was
            unable to process this query due to a
            problem with the name server.

REFUSED  5  Refused - The name server refuses to
            perform the specified operation for
            policy reasons.  For example, a name
            server may not wish to provide the
            information to the particular requester,
            or a name server may not wish to perform
            a particular operation (e.g., zone
            transfer) for particular data.

Or the reply can be NOERROR, with the root zone NS records, but not replying at all is not an option.

Why does ISNIC require minimum TTL values?

It is important to realize that TTL is not an attribute of an entire domain (zone). TTL is an attribute of each record in the zone. ISNIC only requires a minimum TTL on the nameserver records within the domain (NS resource records).

The value of the TTL field in the NS records affects the query-rate on the ".is" nameservers, therefore there is a certain minimum enforced. Please note that this minimum TTL requirement only applies to the NS records.

It is possible to debate as to what precisely the minimum value should be, but experience in recent years suggests that these values should only be lowered from rather high defaults if some changes are planned. According to RFC1912 :

  "Popular documentation like [RFC1033 ] recommended a day for the minimum TTL,
   which is now considered too low except for zones with data that vary regularly.
   Once a DNS stabilizes, values on the order of 3 or more days are recommended.
   It is also recommended that you individually override the TTL on certain RRs
   which are often referenced and don't often change to have very large values
   (1-2 weeks). Good examples of this are the MX, A, and PTR records of your
   mail host(s), the NS records of your zone, and the A records of your nameservers."

and according to RFC1030 :

  "Most host information does not change much over long time periods. A good way
   to set up your TTLs would be to set them at a high value, and then lower the
   value if you know a change will be coming soon. You might set most TTLs to
   anywhere between a day (86400) and a week (604800). Then, if you know some
   data will be changing in the near future, set the TTL for that RR down to a
   lower value (an hour to a day) until the change takes place, and then put it
   back up to its previous value."

A recent study on DNS performance concludes that

  "It is not a good idea to make the TTL values low on NS records, or
   for A records for name servers. Doing so would increase the load on the root
   and [g]TLD servers by about factor of five and significantly harm DNS scalability."

from DNS Performance and the Effectiveness of Caching by Naeyeon Jung, Emil Sit, Hari Balakrishnana and Robert Morris ACM Transactions on Networking, Vol. 10, NO. 5 October 2002.

This applies to all TLD servers, both gTLD- and ccTLD-servers as well as to the root servers.

Also see news article ISNIC published on the matter.

Why did ISNIC require PTR records on nameservers?

Note: As of november 2017 ISNIC does not require PTR records on nameservers.
The delegation requirements for .is domains were decided on by the .is community many years ago. One of the primary goals was that the .is domains would only be delegated to properly set up and properly managed nameservers. Statistically, the owners and operators of such nameservers have had no problem satisfying the PTR record requirement. This requirement makes various DNS abuses harder to achieve using .is domains (such as poisioned glue records, double-flux domains and others). This requirement originates from the same sentiments as a similar requirement on mailservers - which is now more-or-less universal as a method to reduce the risk of various kinds of misuse.

Of course there will be nameservers that are properly managed, but their operators decide not to correctly deploy PTR record sets. And there will be nameservers that are badly managed but with correct PTR records. However, the intent here is to increase the level of trust in the nameservers to which .is domains are delegated. Thus, the .is requirements apply to all and no provision is made for exceptions.

While RFC1912 "Common DNS Errors" is not a standards track document, ISNIC decided long ago to adopt many of it's recommendations as part of ISNIC's delegation requirements for .is domains.

From RFC1912 (Common DNS Errors):

  "Make sure your PTR and A records match.  For every IP address, there
   should be a matching PTR record in the domain.  If a
   host is multi-homed, (more than one IP address) make sure that all IP
   addresses have a corresponding PTR record (not just the first one).
   Failure to have matching PTR and A records can cause loss of Internet
   services similar to not being registered in the DNS at all.  Also,
   PTR records must point back to a valid A record, not a alias defined
   by a CNAME."

From RFC2181 (Clarifications to the DNS Specification)

  "10.2. PTR records

   Confusion about canonical names has lead to a belief that a PTR
   record should have exactly one RR in its RRSet.  This is incorrect,
   the relevant section of RFC1034 (section 3.6.2)  indicates that the
   value of a PTR record should be a canonical name.  That is, it should
   not be an alias.  There is no implication in that section that only
   one PTR record is permitted for a name.  No such restriction should
   be inferred."

Why does ISNIC require TCP connectivity to nameservers?

According to RFC5966 :

"....any DNS server needing to send a UDP response
 that would exceed the 512-byte limit is for the server to truncate
 the response so that it fits within that limit and then set the TC
 flag in the response header.  When the client receives such a
 response, it takes the TC flag as an indication that it should retry
 over TCP instead."

And in section 4 of RFC5966 states:

"All general-purpose DNS implementations MUST support both UDP and TCP

  o Authoritative server implementations MUST support TCP so that they
    do not limit the size of responses to what fits in a single UDP

Accordingly, ISNIC requires nameservers hosting ".is" domains to support queries over TCP.

How do I delete my .IS domain?

To delete (deregister) your ".is" domain, you begin by logging on to the ISNIC web using your NIC-handle on "My page" you click "Domain delete" under drop down list domain. Select the domain(s) you wish to delete and click Submit.

Please note that the domain's registrant (or administative contact) will receive e-mail from ISNIC asking them to confirm this action. If no confirmation is received within three days, the domain will remain registered.

If the domain's renewal fee is not received by ISNIC by the expiration date of the domain, the domain will be disabled, and deleted after a 30 day grace period.

Under what circumstances would ISNIC close or delete a .IS domain?

Closing a ".is" domain based on domain's usage (e.g. content of a website pointed to by the domain, e-mail content sent to or from the domain and so on) can be requested by a formal court order from an icelandic court, or a request from relevant icelandic authorities. ISNIC can also decide to close a domain by referring to article 9, chapter III of the ISNIC registration rules.

ISNIC is not responsible for the registrant's usage of his/her domain. It is ISNIC's duty and prime function to maintain uninterrupted service to all ".is"-domains and be sure that the registration information of a domain is correct so that the current registrant for a domain can always be identified.

Other than that, there are three reasons for closing a domain:

  1. non-payment of the domain's fees,
  2. the domain's technical setup is not according to ISNIC's requirements for extended periods,
  3. if ISNIC considers the registration information wrong or incomplete.

Note that it is at ISNIC's sole discretion wether the information provided about the registrant is adequate or not. Once a domain has been closed (put on hold) due to incomplete registrant information, ISNIC reserves the right to ignore any further attempts by the registrant to correct the registration.

What happens to domains that are not compliant with the ISNIC technical requirements?

If the monthly test reveals that a domain does not comply with ISNIC's requirements, the following Misconfigured Domain Parking is initiated:

  1. Warning e-mails are sent weekly to the domain's contacts. First only the zone contact but eventually zone, tech and admin contacts and finally the registrant is added.
  2. If the problem persists for 8 consecutive weeks, the domain is suspended: it is marked inactive in the registry and its DNS records are removed from the ".is" zone file
  3. After the domain has been put on-hold it will be tested daily and activated if found to comply with the requirements.
  4. After another 30 days the domain is moved to the ISNIC parking servers (the DNS server settings for the domain are changed).

If the domain setup is brought into compliance (issues are resolved) before the domain is transferred to the ISNIC parking servers, the domain will be re-listed in the ".is" zone automatically and no further action need be taken.

If the domain setup is brought into compliance (issues are resolved) after the zone has been moved to ISNIC's parking servers, then one of the domain's contacts will need to use this website to redelegate the domain to the correct name servers.

How do I change my domain contacts?

You must begin by logging in to the ISNIC web using your NIC-handle and password. Next go to "My page", there select "Change contacts" under drop down list domain. Select domains that you want to change, enter contact NIC-handle to admin, tech or billing field and click "Submit" to submit changes.

How do I change billing contact on my domain?

You must begin by logging in to the ISNIC web using your NIC-handle and password. Next go to "My page", there select "Change contacts" under drop down list domain. Select domains that you want to change, enter contact NIC-handle to billing field and click "Submit" to submit changes.

Note: How do I change my domain contacts?

How do I activate a contact object's NIC-handle?

When a contact object (registrant, admin, technical or billing contact) is registered with ISNIC an e-mail is sent to the registered e-mail address requesting that the contact (person or other) confirm their willingness to register, and the validity of the e-mail address. This e-mail contains an URL that must be followed to activate the NIC-handle.

Alternatively, the NIC-handle can be activated by setting a password. Visit here and type in your NIC-handle and then select the "Lost password" link.

How do I transfer a domain from one registrant to another?

A domain is transferred from one registrant to another via the ISNIC web interface. The domain's current registrant or administrative contact logs on using their NIC-handle and password. Select Registrant Transfer from domain drop down list. Select domains to be transfered and enter NIC-handle of the new registrant. The new registrant must have a valid NIC handle. If they do not, the new registrant must first obtain a NIC handle (username). The domain's current registrant will then be asked to confirm (via a e-mailed a confirmation URL) the transfer request, and once confirmed, the request is queued for processing. If the domain's current registrant does not have a confirmed valid e-mail address, the domain's administrative contact will receive the confirmation URL e-mail to confirm the request.

It is often simplest for the current administrative contact to change the admin-c to that of the new registrant (or his representative). The new admin contact can then effect the transfer and other changes that need to be made to the domain's registration when it is transferred from one registrant to another.

How do I transfer a domain from one registrar to another?

ISNIC does not operate a registry/registrar model. The registrants (or their representatives) interact directly with the .is registry. Each domain has up to four contacts with varying degree of control over the registration. (See Why are there multiple domain contacts?) The registration management is transferred by changing some or all of these contacts. See also How do I change nameservers on a domain?.

What does "Registration verified by ISNIC" mean?

If a registrant or contact supplies ISNIC with an Icelandic national identification number ("kennitala") when registering a domain or a contact, ISNIC sets the name according to the national registry. If the contact selects to synchronize their address with the national registry as well, ISNIC will set the address in the WHOIS database to the offical address in the national registry. In this case the Registration Certificate published by ISNIC will contain the sentence "Registration verified by ISNIC" - Example.

Can you send me an account statement?

Account statements are only accessible on "My page" under "Invoices". You need to login as the domain's registrant, admin contact, or billing contact or login federated through on the 'kennitala'.

See also: How do I login?

Can you send me an invoice?

Invoices are accessible by following links from within the account statement.

See also: Can you send me an account statement?

How do I login?

Lookup your domain on our main page to see the registered contacts. If you have lost your password you can :

  1. Use "lost password" to reset the password through e-mail.
  2. If the e-mail is unavailable, use "lost password" with the SMS option to reset the password via a registered mobile number.
  3. If the contact has a kennitala you can use login.
  4. Otherwise you need to fill out a form.

I turned on two factor authentication but lost the key, how do I login?

For a contact with an icelandic kennitala it is easiest to use login.

Otherwise fill out "Change contact authentication information" form and ISNIC has to verify the contact and for that service ISNIC charges a fee (see prices).
Note: for this to be possible at all, the contact's registration information must be as accurate as possible.

What does a "corresponding non-IDN domain" mean to a IDN domain?

The corresponding non-IDN domain is constructed from the IDN domain according to the following table:

 þ -> th   á -> a    í -> i
 æ -> ae   é -> e    ó -> o
 ö -> o    ý -> y
 ð -> d    ú -> u

Can I become a .IS registrar?

ISNIC does not have any official registrars. The registrants have direct access to the ".is" registry and deal directly with the registry. Anyone can host ".is" domains as long as their nameservers meet ISNIC's technical requirements, and the domains zone as set up on those nameservers meets ISNIC's delegation requirements.

A DNS hosting provider that agrees to host ".is" domains for their customers, needs to register their nameservers with ISNIC, see "How do I register my nameservers with ISNIC?", and make sure they are willing to meet ISNIC's delegation requirements.

A DNS hosting provider can additionally apply for status as a registered ISNIC DNS Service Provider (DNSP/ISP) for ".is" domains. DNSPs have additional control and access. Please see the application forms for the terms and conditions of such registration.

ISNIC offers EPP access to everybody that have shown competency against our development environment.

What is a DNSP or ISP?

A registered DNS service provider (DNSP) is a provider that has registered with ISNIC as such and is willing and able to host ".is" domains according to ISNIC's technical delegation requirements. The DNSP is listed with ISNIC, and has access to the DNSP portal on the ISNIC web.

Note: This status is not needed to register nameservers. See How do I register my nameservers with ISNIC?.

Note: ISNIC registered DNSPs used to be called ISPs. The name was changed to clarify what kind of hosting services they provide (DNS hosting, as opposed to web- or e-mail hosting).

What is a parked domain?

Domains can be parked, i.e. temporarily delegated to a special set of parking nameservers. A registrant may park a domain if e.g. the zone is not ready at the time of registration or the production nameservers have gone offline for a long period of time and the domain is in danger of being deleted.

While a domain is parked it will not receive any e-mail and no websites will be active. If you choose to park a domain you select the option "Parking" from the DNSP's dropdown list. The registrant can park or unpark a domain at any time (via the ISNIC web -- see How do I change nameservers on a domain?).

Domain parking is a free service.

How do I create e-mail for my domain?

If you need e-mail services for your domain, you must contact a service provider which can accept e-mail on your behalf. You need to establish such services before you can change the MX records for your domain.

If you do not have DNS services for your domain, you can configure forwarding of e-mail using ISNIC's forwarding service. (See What is Email Forwarding?)

What is Web Forwarding?

To activate Web Forwarding, you need to add either an IP address for A record or a complete URL in the column Complete URL or IP address. If you don’t have A record or URL, any complete URL will do (e.g. Adding a CNAME record for www is an option, but if not added, it will be added automatically for you.

Web Forwarding is a service provided by ISNIC to direct your domain to a IP address or a pre-defined web URL. If you choose to use an IP address, the webserver should be configured to display your website - you should contact your webserver administrator to make sure this is possible.

You can also enter a URL or a server name. Valid URL's are for example: and

Web Forwarding is a free service.

See also: What is Email Forwarding?

What is Email Forwarding?

Email Forwarding is a DNS service provided by ISNIC, to direct all e-mail addressed to a particular .is domain, to an existing e-mail service provider.

Email Forwarding is enabled using the same interface as the Web Forwarding option: Select "Forwarding and Redelegate" either during domain registration or from drop down list domain on "My page", and choose a known provider or "Custom mail server" from the drop-down menu.

ISNIC Email Forwarding is a free service, but usually it is necessary to pay the operator of the e-mail server.


  • Email Forwarding is not available for domains delegated to custom name servers.
  • For custom mail servers, it is possible to specify up to two MX and two TXT records.
  • The DNS records published for preconfigured providers usually include one or more MX records for routing e-mail, SPF and/or DKIM records to prevent forgeries and SRV records for e-mail client auto-configuration.
  • ISNIC does not charge e-mail service providers to be on the preconfigured list, Email Forwarding is provided as a service for our customers' convenience only.
  • If you feel we have overlooked an important, popular e-mail service provider, please get in touch and let us know.

See also: What is Web Forwarding?

Why is there no cookie notification?

Informed consent of cookie usage is not required if cookies are important for the working of the website and is not used for other purposes, or if a first-party cookie is used for the web chat. Cookie usage on ISNIC's website is first party and is important for the working of the website.

Connect domain to Microsoft Outlook

The following instructions are made for those who do not have DNS hosting for their domain and want to use ISNIC’s Email Forwarding service to connect their domain to Microsoft Outlook.

Step 1

In the Outlook setup page, Microsoft recommends using a TXT record to verify your domain. Copy that record and go back to ISNIC’s page.

Step 2

Login to, go to My page, click on click on the for Control Panel in the table for your domains. Click on Redelegate in the Nameservers column and choose Web forwarding. Choose Microsoft Outlook from the Email forwarding drop-down list. You will also need to enter any valid URL or IP address in the top field, that could be another domain you already own or your favourite website. Paste the code in the TXT record column and click on Submit.

Step 3

Open the Microsoft Outlook setup page and click on Verify. In the next step, Microsoft will provide you with a unique MX record for your domain. Usually, the MX records looks like this: Copy the MX record for your domain and head on over to Go to the Web Forwarding, and paste the MX records in the Mail Server (MX) column. Now click on Submit. Your .is domain is now connected to your Microsoft Outlook account.

How do I add DNS records?

If your domain is already setup on nameservers of a 3rd party hosting provider, these instructions do not imply.

ISNIC provides DNS hosting for .is domains. To be able to add DNS records to the domain, it must first be registered in Web Forwarding. To activate Web Forwarding, you need to add either an IP address for A record or a complete URL in the column Complete URL or IP address. If you don’t have A record or URL, any complete URL will do (e.g. Adding a CNAME record for www is an option, but if not added, it will be added automatically for you.

Now you must wait for up to 20 minutes for the domain to be setup on our Forwarding nameservers.

Once the domain is setup in Web Forwarding, you can add DNS records. You click on the wrench icon under Control Panel in the table for your domains on My page. Then you click on Edit under DNS records. There you can add records and edit existing records.

To add a new DNS record you choose type, add host and data and click on +Add Record.

Changes to domains with a 3rd party DNS hosting provider

If your domain is hosted by a 3rd party DNS hosting provider and setup on their nameservers, you can add DNS records on their end but no changes are made through ISNIC.

It depends on the hosting provider how these changes are made, but the most common way is to login to the hosting provider’s website and add the DNS records through their interface. Contact your hosting provider if you have trouble adding the records to your domain.

If you’re not sure who your hosting provider is, you can see which nameservers your domain is setup on by typing the domain name in ISNIC's WHOIS Database

Connect domain to Squarespace

You can connect your .is domain to a Squarespace website with DNS records. Begin with following the first step in Squarespace's instructions. When you proceed to Step 2, you see the DNS records for your domain. Now head over to My page on the ISNIC website.

To activate the DNS hosting for your domain, you first need to register your domain to Web Forwarding. Add one A record (IP address) from Squarespace to the column Complete URL or IP address and click on Submit. Now you must wait for up to 20 minutes for the domain to be setup on our Web Forwarding nameservers.

Once the domain is registered in Web Forwarding, you can add the rest of the DNS records provided by Squarespace. Usually Squarespace gives you four A records (one of which you already added and wont need to add again) and two CNAME records. Click on the wrench icon under Control Panel and click on Edit under DNS records. There you can add new DNS records and edit existing once.

To add a new DNS record, choose the type, add host and data and click on +Add Record. Once you’ve added all the DNS records provided by Squarespace, click on the Refresh button on the Squarespace website and the domain should connect to your Squarespace site.

Bluehost January 2016 problems with

Late December 2015, issues with triggered automatic notice to .is Registrants. The nameserver doesn’t respond to DNS queries.

Bluehost says this is part of a DDoS protection, and that it’s being repaired, and that there is no known ETA of a fix, and that customers should use 3rd party DNS servers and point to their Bluehost IP Address (in the interim or instead).

ISNIC deactivates domains which have a broken DNS configuration after 8 weeks.

DNS Moving to Cloudflare?

After a recent problem with (search news stories for “DDoS against Dyn DNS”), several big DNS providers took additional precautions with one or more of their primary DNS servers. This includes moving them so that they are not hosted by *one* provider. This is generally a good thing and ISNIC has promoted operating your DNS servers on separate IP Networks, and separate AS numbers for resilient operations.

Some providers have moved their services to Cloudflare – which should be fine – however, some of them haven’t yet gotten their PTR RRs (Resource Records), also known as Reverse DNS, into the appropriate zone.

Cloudflare does know how to operate DNS services, and they do know how to add PTR RRs. As to why they’ve not applied them to these services are reasons unbeknownst to ISNIC. You must contact your DNS provider and ask them!

If they say all is well, use the ISNIC Zone Check – and forward the results to your provider. If they still continue to claim all is well, ask for better support – and someone who knows what “” means (and don’t think it’s an URL…)

If your DNS provider is Bluehost, ask them what this means:

dig -x +trace # results in a loop, which ends in: 86400 IN NS 86400 IN NS
;; Received 209 bytes from in 41 ms

( is the IP Address of, which is now hosted by Cloudflare)

If you continue to receive notices or information from Bluehost that your domain isn’t OK, move your DNS services away from Bluehost, since they no longer support .is domains for a period of more than 6 weeks (the counter in the e-mail from ISNIC should not exceed 8!) then you must take action.

ISNIC has been in contact with DNS specialists from Bluehost and Cloudflare – which should resulted in appropriate repairs (29th Nov). However, from 27th January we’ve received information that this has happened again. And PTR errors were resolved by Bluehost on 14th march 2017.

Bluehost has also recommend the A RECORD solution – since they will not support .is domains in their DNS solution.

If you have issues, and Bluehost suggest A RECORDs, then you can go to and in “Web Forwarding” enter the IP Address provided from Bluehost for your server (ping your domain may reveal this) – this will make ISNIC’s Web Forwarding service act as DNS Provider for your domain. If you also have e-mail active for your domain make sure to enter the correct mail server name! If Bluehost is also your mail server host, then you just type in your domain name in the mail server field.

G Suite and domain verification

The following instructions are made for those who do not have DNS hosting for their domain and want to use ISNIC’s forwarding service to connect to G Suite in accordance to Google’s help page.


Log in on, select your domain and click web forwarding. Under advanced settings you will find Mail Server (MX). According to Google’s help page the value you write in the mail server field is ASPMX.L.GOOGLE.COM. You will need to enter any valid URL or IP address in the top field, that could be another domain you already own.


You can use the TXT method through ISNIC’s forwarding service to accomplish this. We assume you are still on the web forarding page from the instructions above, with advanced settings opened. Go to Google’s help page (Add a TXT verification record (any domain host)) about domain verification and find your unique TXT record. Note that the code includes “google-site-verification=” and then is followed by 43 random characters, see an example:


Put the entire text into the TXT record field on the web forwarding page. After the domain has been verified you can remove the TXT record from the web forwarding page.

Gmail and missing messages from ISNIC

If you do not see our messages, like password reset, and you use Gmail – check your archive folder or your “other” Gmail reader!

Gmail may be archiving the messages, please read this document regarding Gmail and archiving options – one of which will most likely be the reason for this behavior.

The direct URL to your archive folder is here.

You can mark or flag as Very Important or assign it to the special folders in Gmail and indicate where this e-mail should go! Remember this applies to any and all messages which Gmail is sorting in this manner and is most definitely not only relevant to ISNIC!

Google verification for .is domains

Google Apps work very well with .is domains. However, you must go through some steps, with Google, to verify that you manage your domain.

ISNIC gets requests about this – and they are actually intended for your DNS operator. Although ISNIC offers “Web Forwarding” as a quick method of getting your domain up and running, we’re not your Registrar, we are the .is Registry!

To follow Google’s instructions, available here – you can follow the HTML advice if you’re already running a website – but the TXT or CNAME instructions must be done with a DNS hoster.

See a list of DNS hosters/providers on the ISNIC website and note that you may find FreeDNS services from some of them (like and

These information are informational only, and not meant as a suggestion or endorsement of any company mentioned here.

Squarespace and 3rd party DNS hosting

Your .is domain can easily connect to most website hosting providers by our simple web forwarding or using their name servers, but some providers such as Squarespace require more. This guide will use Squarespace as an example of how to use 3rd party DNS hosting.


First step is always to set up the domain on the webhost’s site. Look at Squarespace’s help page, starting from step 1.


After setting up the domain we need to find a DNS provider; here is a list of popular providers. You can find number of free DNS with any search engine. Note that your provider does not need to be an official provider on ISNIC’s website.
Setting up the domain on the DNS provider’s website varies greatly. Normally you will have to create an account and set up a new domain, they may want to sell you a domain, but just select to set up a domain.

Start by removing any A records if there are any, then add a new DNS record with the following setup.

Type: A
Host: @
TTL: use default value (common values are 3600 and 86400)
Points to: (copy IP to here)

Do this for each A record your website provider requires. Use Squarespace’s help page to see all 4 A records they require and get the IP addresses.
When all A records have been set up in accordance to your webhost’s requirements you will do the same as above but with CNAME records, making sure the fields are correctly filled out in accordance to your webhost’s instructions.


Log into your relevant account, select your domain, click redelegate, and either pick the service provider from the list of providers or enter the name servers manually.


You may need to wait some time, but Squarespace provides you with a tool (described in step 8 of their help page) to see if they have received updated information about the domain. After putting the domain on queue for redelegation you may want to hit that refresh button every half an hour.

The IPv6 digital dilemma

We are now entering the time of permanent IPv6 presence. 6th june is ‘IPv6 Launch Day‘ and following this, we’ll expect quite a large number of companies enabling IPv6 on their services, lots of ISP’s will make IPv6 available to their customers and you need to ask now, are you ready to accept the new and improved, the unknown and available, secure and open network standard now, later or never?
My first impression of IPv6 after reading some material was, ‘yes and no’, and it still is. I’ve made steps to improving my setup, I’ve tested and tested and still remain hesitant because I cannot suggest to anyone, neither home users or companies that they implement IPv6 now… But if your decision is to try and test, I can make some suggestions…
Whatever they say about stuff included with IPv6, IPsec, protocol differences etc., remember it’s only as secure as your least secure item on the network – so find your lowest common denominator and figure out how you’ll apply security and some will find easy ways of doing monitoring and auditing, while others will quickly notice that they’ve got none at all.
Lots of users will have hands on experience with their loggers, Event Viewer, syslog, console log etc. But there will be new issues with IPv6. My immediate realization and my experience:
  • Mostly not reading the log *all the time* and missing most stuff… for my parts, it’s ok since it’s mostly firewalled and ACL’s in the appropriate location
  • Firewalls and AntiVirus apps, not knowing anything about IPv6
  • IPv6 traffic which *I* don’t know anything about, like toredo tunnels and others (HE.NET, Freenet…)
  • Services defaulting to IPv6 servers with variable reliability and added delays, DNS issues with PTR records, hosts.allow messed up, all accurate responses to unexpected queries and traffic
Several accidental issues popped up after IPv6 enabled services where introduced, i.e. the service is implemented and tested and the AAAA record is added to the DNS and the service starts to popup *and failing*, why?
  • Routing and response issues, local firewall not accepting the new traffic. The new traffic isn’t as easy as “tcp port X is opened, and we respond”, oh no, we’ve got to worry about advertisments and neighbour discovery and this will be your issue if you’ve got rogues on your network because you’ll have to trust your neighbours or use software and correct configuration to ensure your traffic is secure. After configuring neighbour discovery and accepting the correct packages from the router, traffic starts to flow and ACL’s drop traffic again.
  • IPv6 addresses in ACL’s are commonly wrapped with []’s and the subnet mask *following*, i.e. [2001:470::]/32 (Hurricane Electric).
  • IPv6 isn’t correctly supported on all operating systems. Our users had MacOSX Leopard, which had problems with manual configuration and Snow Leopard which doesn’t correctly allow neighbour advertisments with ip6fw unless you strip PowerPC code from the binary…
  • On any network with a router advertisment daemon, any linux, MacOSX and many Windows Vista and all Windows 7 machines will popup with and IPv6 address. Windows XP machines shouldn’t do it unless specifically enabled.
  • Operating Systems *don’t* block IPv6 traffic by default. Your firewall may be *oblivious* to IPv6 traffic. You may have services which are enabled, fully protected on IPv4 – but they’ll be visible on IPv6 and may be hacked, even if they *are* the secure services. Do you watch your laptop or work machine for attempts to authorize users, the SSH daemon or SMB/CIFS services? Usually we just *block* access to authentication services but there are always servers which will allow this and if you don’t start dropping connections, you may be opening up a system for infinite hack attempts on generally secured services.
If you think you’re part of a network which is *too large to scan* – because your smallest network is 64 bits large, and your machine or server is hidden somewhere – remember many devices are servers, and will present AAAA records and PTR records may give away some information. A local machine will be able to discover the neighbours, so your immediate danger of ‘scanning’ is already a part of your neighbourhood. Also, this is all about discovery and when you start accessing services, you’ll start to leave your footprints and your digital fingerprint will be all over the internet and a port scanning device, sniffer or data mining tools will start collecting IPv6 addresses and information. Remember that the default setup for router advertisments will use your network cards MAC address (ethernet address) and when you move to a new network, you’ll already carry a identifier which can be datamined. IPv6 does have some methods of randomizing your IPv6 address for security. This will of course make it more difficult to maintain AAAA and PTR records and some services will refuse connection from addresses missing the PTR records or have a mismatch between AAAA and PTR (RFC931).
One contingency plan was to make the address space enourmously large, but it will be filled. Several vendors, users and companies will simply make lots and lots of networks, spend their CPU cycles in routing and ACL’s for a simpler setup, but it’s not a good solution. It’s an situation where a secure webserver may be hosted in a dedicated /64 network because we can’t as yet break it down to /120 and then manage that by ACL on the routing level BUT we can do it on a local level – if you implement strict policies, know your devices and have trustworthy management and auditing, but it’s a management nightmare which needs solutions. There will be many views on how to implement security and they are all important because security will be required.


My suggestions?
  • If you have a System Administrator, make sure he’s up to date, and that he’s met IPv6 people and knows what’s what.
  • If you don’t have a System Administrator, get advice – should you do it and how.
  • Get into the habit of audit and monitoring, free tools include ntop and cacti
  • Realize that there are holes which you cannot cover, since they may be your published application
  • Backup, backup and backup
  • Your system may be viable for separating services and users, this will make ACL’s and firewalls manageable… sort of
  • Remember your digital footprint. You may want to reduce it and if so, use the privacy extensions but it’s an addon to security, it’s not “the security”
  • Because native IPv6 will create a direct connection between nodes, each node should include security of some sort. Although you can implement a firewall on your routers, it’s not a solutions but an interim fix while you apply your internal IPv6 deployment and solve your internal issues.
Björn R. (My opinions are my own)

WIX DNS Services

If you are moving your web or DNS to WIX, but it fails through the ISNIC web – it’s possible the WIX nameservers haven’t been registered with ISNIC.

It’s ideal if WIX registers their nameservers with ISNIC, but the Zone Contact for WIX is EP29-IS (ISNIC NIC handle).

To top