Registrant verification[Link]

General[Link]

From 16 November 2020, we activated our project Registrant Verification for .be domain names.

Every new domain name is checked against a series of parameters to determine if it’s a suspicious registration. If the domain name matches several parameters, it’s not delegated and proof of identity is requested.

When verification of identity is received, the domain name is delegated.

Process[Link]

The flow for registrant verification is shown in this diagram:

Registrant verification flow - see scenario.

The scenario for registrant verification is as follows:

  1. A new domain name is registered.

  2. The domain name is not delegated if verification is required.

  3. The registrant receives an email to ask for verification.

  4. The registrar receives an EPP poll/CPS message indicating verification is required.

  5. The registrant proves his/her identity.

  6. DNS Belgium approves the documentation.

  7. DNS Belgium returns control of the domain name.

Step by step[Link]

1. A new domain name is registered[Link]

Your client contacts you with the request to register a domain name. The new domain name is checked against a series of parameters to determine if it’s a suspicious registration. If it’s selected, the next steps are executed.

Note

We use a series of parameters that automatically check the registrant’s data. Only if several parameters indicate incorrect or incomplete data, do we intervene. We constantly adjust these parameters in order to remain relevant in the fight against fraud.

2. The domain name is not delegated while verification is pending[Link]

The name servers used at registration are overridden. When the registrant’s data is verified (step 6), the domain name is activated within the hour.

More information for the registrant can be found on our website. Please use this page as a guide for your registrant:

https://www.dnsbelgium.be/en/registrant-verification

3. The registrant receives an email to ask for verification[Link]

We send an email to the registrant asking for verification:

The email provides a link to our website where the registrant can verify their identity. They can do this by electronic identication methods or by uploading documents to a safe location (see step 5).

Warning

If you have chosen to inform the registrant yourself through your Registrar settings, you are responsible for sending the verification url to the registrant yourself. You can retrieve the correct url using info-contact v2.0 (see below).

4. The registrar receives EPP poll/CPS messages indicating verification is required[Link]

You will receive two EPP Poll messages/CPS emails to indicate that registrant verification is required for the domain name:

The domain name is not delegated until the verification documents are received. For every future domain name registered with the same contact handle, you will receive another message ‘Verification required for domain ${domainName}.${tld}’ as long as the contact isn’t verified.

5. The registrant proves his/her identity[Link]

Registrants can prove their identity in two ways, both are accessible through the website:

  • By providing their identity using an electronic identification method.

  • By uploading identity documents to a safe location accessible by our Support team. A list of acceptable documents can be found on our website. DNS Belgium Support will provide feedback to the registrant.

6. DNS Belgium approves the documentation[Link]

DNS Belgium receives the proof of identity.

6a + 6b. If the registrant has uploaded documents to our safe location, they will be checked by DNS Belgium Support staff. If there is an issue or more documents are needed, the registrant will be contacted by DNS Belgium Support. Because of the intervention of our Support staff, this may take up to 5 days.

6c. If the registrant has used an electronic identication method, the domain name is automatically approved and will be active within one hour.

7. DNS Belgium returns control of the domain name[Link]

When the proof of identity is accepted, the registrar is notified via POLL message or CPS email:

The registrant receives an email for all his affected domain names:

The domain name is activated and can be used by the registrant. Any other domain that is registered for this registrant (using the same contact handle) in the future will automatically be approved.

Warning

Only new domain names that use the same contact handle will be approved. If you make copies of the registrant contact to create new domain names, the registrant will have to verify again.

What if?[Link]

No documentation is provided[Link]

Do the documents insufficiently prove that the holder data are correct? DNS Belgium Support requests additional information. The domain name remains registered but it can’t be used.

The registrant doesn’t provide us with the necessary documents? The domain name remains registered but it can’t be used.

Any other new domain registered with the same contact handle will also be selected for verification and therefore be delegated to DNS Belgium’s landing page. Domains previously registered with the same contact handle will not be affected.

You want to update the Registrant to comply[Link]

A registrant contact selected for registrant verification has verification status Pending. In this state, any update to the contact is allowed. Normal restrictions don’t apply. You can update the contact via My registrations or EPP.

The domain name is transferred away[Link]

We will look at the status of the new contact used in the transfer transaction. In general, we use the status of the new contact. There is one exception: If the old contact is pending verification and the new contact is unverified, the new contact will be set to pending verification.

The contact is updated[Link]

Contacts that are unverified or pending verification keep their status. Contacts that were verified revert back to unverified and our Support team is notified. They will do a manual check on the updated contact.

Number of attempts[Link]

If a registrant is picked for verification, they can try maximum 3 times. After 3 failed attempts, they are directed to our Support staff who will help them to upload documents for verification to our safe location.

Please help your registrants by updating their contact details to match their identity documents.

Number of verifications[Link]

We want to prevent that one individual could approve all domainnames at the same registrar.

This is why DNS Belgium allows for a maximum number of verifications per individual. If this maximum is reached, the website will show an error message and the individual is asked to contact Support. Our Support staff will determine if the maximum can be adjusted for that specific case. Otherwise another individual must verify the domain name.

You want to inform the registrant yourself[Link]

In case you have chosen to notify your registrant yourself in your Registrar settings, these are the steps you should follow.

The decision to verify the details of a domain name is made at creation, so you will receive a poll message about the domain name and registrant immediately after creation of the domain name. At that time you can use info-contact v2.0 with the registrant contact handle to retrieve the url for the registrant. You can use that url in your client portal or in an email template of your own to inform your registrant.

You want to do the verification yourself[Link]

When you do registrant verification yourself, we can activate the ‘registrant verification at registrar’ - feature. This makes it possible for you to indicate which contacts you have verified yourself.

When the feature is activated, you can indicate verification in a create-contact and an update-contact transaction by using the DNS Belgium extension. Contacts for which you use the extension will get the verification status ‘Verified’. Other contacts can still be selected for registrant verification by DNS Belgium. Already existing contacts will go to verified when they are updated using the extension, including the ones that are in verification pending.

Before registering or transferring a domain you should verify the contact, else it can be selected for registrant verification.

To indicate you have verified the registrant yourself, you have to provide a submission date and a source of verification:

  • Submitted date: date on which the verification was done by the registrar

  • Source: Primary application or documentary evidence used for the verification of the registrant contact data, this must be one from the following list:

Verification source

Related application or documentary evidence

ITSME

itsme® has been officially recognised by Europe as a reliable means of identification, at high level. The itsme® app fulfils the highest security requirements of eIDAS

IDENTITY_CARD

the registrant’s national identity card

PASSPORT

the registrant’s national passport

RESIDENCE_PERMIT

the registrant’s residence permit

DRIVING_LICENSE

the registrant’s driving license

INTERNATIONAL_DRIVING_LICENSE

the registrant’s international driving license

UTILITY_COMPANY_INVOICE

invoice of a utility company registered in the name or legal entity of the registrant

UBO_REGISTER_EXTRACT

extract of the UBO database in the legal entity of the registrant

NOTARISED_DEED

an original notarised deed specifying the name or legal entity of the registrant

LEGAL_ENTITY_DEED

an original deed of a legal entity stamped by the court registry specifying the registrant

CHAMBER_OF_COMMERCE_EXTRACT

extract from the chamber of commerce in the legal entity of the registrant

BUSINESS_REGISTER_EXTRACT

extract of the business register specifying the legal entity of the registrant

CERTIFICATE

licensed certificate of the legal entity of the registrant

CONTRACT_WITH_CLIENT

contract between you and your client specifying the legal entity of the registrant

LEI_INVOICE

the invoice of the LEI publisher and/or the LEI number specifying the legal entity of the registrant

LEI_SCREENSHOT

screenshot of the LEI portal specifying the legal entity of the registrant

BANK_PAYMENT

bank payment in the name or legal entity of the registrant

BANK_STATEMENT

a statement from the bank confirming that the registrant is the owner of the account, including the contact details of the registrant

POWER_OF_ATTORNEY

a letter established on behalf of the registrant specifying the legal entity of the registrant, the attorney that is entitled to represent or act on behalf of the registrant and dully signed by an authorised representative of the registrant

IDIN

iDIN is a service provided by Dutch banks that allows consumers to identify themselves at other organisations using their own bank’s secure and trusted login methods

FULL_CBE_EXTRACT

Full extract of the information of the Crossroads Bank for Enterprises which can be obtained through the MyEnterprise app/website

SOCIAL_SECURITY_EXTRACT

Certificate from the National Social Security Office with status outstanding debts or certificate of registration, available through https://www.socialsecurity.be/site_nl/employer/infos/attests.htm

OTHER

any other document or certificate which unambiguously proves the identity of the registrant and which is not publicly available

For examples on how to use the extension in My registrations and EPP, see the examples below.

To activate this feature on your Tryout account, contact our support staff at support@dnsbelgium.be.

To activate this feature for your Live account, we will need documentation of your verfication process and you need to sign an addendum to your registrar contract. Get in touch with our support staff at support@dnsbelgium.be to start the onboarding.

The documentation of your verification process should include an accurate and detailed description of your process flow and show us when and how you check your client’s details. We expect at least the following checks:

  • email address

  • name and/or organisation

  • address

We are closely following the conversion of the NIS2 directive into national legislation and we try to anticipate its guidelines. It is possible more checks are needed in the future.

Test data[Link]

See Tryout system.

More information[Link]

My registrations[Link]

All registrant contacts have an extra verification status. When a contact is selected for verification, a banner is shown on top of the ‘View contact’ page and the Verification status of the contact is set to Pending:

Contact view in My registrations

At the bottom of view contact, an extra button is available to request the verification url for this registrant. When you click on this button, the mail to the registrant to request a verification is resent. If you have chosen to inform your registrant yourself, you will see the url and can use it in your own mail templates.

On the domain view, a banner is also shown:

Domain view in My registrations

If registrant verification at registrar is activated, extra input fields are added to the create contact and update contact transaction. You first have to check ‘This contact is verified’ before you can add the details of the verification:

Domain view in My registrations

If you leave these fields empty for a create contact or an update contact, the contact will revert back to verification status ‘Not verified’.

EPP[Link]

Via EPP, you can use info-contact v2.0 to see the verification status of a contact and the url where the registrant can provide verification, the EPP server will give the following response:

<?xml version="1.0" encoding="UTF-8"?>
<epp xmlns="urn:ietf:params:xml:ns:epp-1.0" xmlns:contact="urn:ietf:params:xml:ns:contact-1.0" xmlns:dnsbe="http://www.dns.be/xml/epp/dnsbe-1.0">
  <response>
    <result code="1000">
      <msg>Command completed successfully</msg>
    </result>
    <resData>
      <contact:infData>
        <contact:id>c23145796</contact:id>
        <contact:roid>23145796-DNSBE</contact:roid>
        <contact:status s="ok"/>
        <contact:postalInfo type="loc">
          <contact:name>anonymous</contact:name>
          <contact:org>anonymous</contact:org>
          <contact:addr>
            <contact:street>anonymous</contact:street>
            <contact:city>Leuven</contact:city>
            <contact:pc>3000</contact:pc>
            <contact:cc>BE</contact:cc>
          </contact:addr>
        </contact:postalInfo>
        <contact:voice>+32.1111222233</contact:voice>
        <contact:email>veerle@test.be</contact:email>
        <contact:clID>a003774</contact:clID>
        <contact:crID>a003774</contact:crID>
        <contact:crDate>2020-08-03T07:23:17.000Z</contact:crDate>
        <contact:upDate>2020-08-26T07:59:09.000Z</contact:upDate>
      </contact:infData>
    </resData>
    <extension>
      <dnsbe:ext>
        <dnsbe:infData>
          <dnsbe:contact>
            <dnsbe:type>licensee</dnsbe:type>
            <dnsbe:lang>nl</dnsbe:lang>
            <dnsbe:onhold>false</dnsbe:onhold>
            <dnsbe:verification>pending</dnsbe:verification>
            <dnsbe:verificationurl>https://www.dnsbelgium.be/en/verification#token=e23e9e28-c404-483a-9a38-f43bf6a5b399</dnsbe:verificationurl> 
            <dnsbe:verificationtype>AUTO</dnsbe:verificationtype>
          </dnsbe:contact>
        </dnsbe:infData>
      </dnsbe:ext>
    </extension>
    <trID>
      <clTRID>info-contact-00</clTRID>
      <svTRID>dnsbe-0</svTRID>
    </trID>
  </response>
</epp>

Using info-domain v2.0, you will see that the nameservers are overridden:

<?xml version="1.0" encoding="UTF-8"?>
<epp xmlns="urn:ietf:params:xml:ns:epp-1.0" xmlns:domain="urn:ietf:params:xml:ns:domain-1.0" xmlns:dnsbe="http://www.dns.be/xml/epp/dnsbe-1.0">
  <response>
    <result code="1000">
      <msg>Command completed successfully</msg>
    </result>
    <resData>
      <domain:infData>
        <domain:name>testdomain.be</domain:name>
        <domain:roid>6208625-DNSBE</domain:roid>
        <domain:status s="ok"/>
        <domain:registrant>c7780601</domain:registrant>
        <domain:contact type="billing">c7780583</domain:contact>
        <domain:contact type="tech">c7780581</domain:contact>
        <domain:clID>a000001</domain:clID>
        <domain:crID>a000001</domain:crID>
        <domain:crDate>2010-06-22T13:06:41.000Z</domain:crDate>
        <domain:upID>a000001</domain:upID>
        <domain:upDate>2010-06-24T12:09:24.000Z</domain:upDate>
        <domain:exDate>2011-06-24T12:09:24.000Z</domain:exDate>
        <domain:trDate>2010-06-24T12:09:24.000Z</domain:trDate>
      </domain:infData>
    </resData>
    <extension>
      <dnsbe:ext>
        <dnsbe:infData>
          <dnsbe:domain>
            <dnsbe:onhold>false</dnsbe:onhold>
            <dnsbe:quarantined>false</dnsbe:quarantined>
            <dnsbe:nameserversOverridden reason="Pending registrant verification">true</dnsbe:nameserversOverridden>
          </dnsbe:domain>
        </dnsbe:infData>
      </dnsbe:ext>
    </extension>
    <trID>
      <svTRID>dnsbe-0</svTRID>
    </trID>
  </response>
</epp>

If registrant verification at registrar is activated, you can add an extension to the create contact and update contact transaction to indicate verification:

<epp xsi:schemaLocation="urn:ietf:params:xml:ns:epp-1.0 epp-1.0.xsd urn:ietf:params:xml:ns:contact-1.0 contact-1.0.xsd http://www.dns.be/xml/epp/dnsbe-1.0 dnsbe-1.0.xsd" xmlns="urn:ietf:params:xml:ns:epp-1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:contact="urn:ietf:params:xml:ns:contact-1.0" xmlns:dnsbe="http://www.dns.be/xml/epp/dnsbe-1.0">
  <command>
    <create>
      <contact:create>
        <contact:id>you_choose_it</contact:id>
        <contact:postalInfo type="loc">
          <contact:name>Jonathan Smith</contact:name>
          <contact:org>Great Company Inc.</contact:org>
          <contact:addr>
            <contact:street>Greenstreet 23</contact:street>
            <contact:city>Brussels</contact:city>
            <contact:sp/>
            <contact:pc>1000</contact:pc>
            <contact:cc>BE</contact:cc>
          </contact:addr>
        </contact:postalInfo>
        <contact:voice>+32.16284970</contact:voice>
        <contact:email>j.smith@greatcompanyinc.cctld</contact:email>
        <contact:authInfo>
          <contact:pw>Polar Ice</contact:pw>
        </contact:authInfo>
      </contact:create>
    </create>
    <extension>
      <dnsbe:ext>
        <dnsbe:create>
          <dnsbe:contact>
            <dnsbe:type>licensee</dnsbe:type>
            <dnsbe:vat>BE 0123 476 545</dnsbe:vat>
            <dnsbe:lang>nl</dnsbe:lang>
-- verification extension
            <dnsbe:verification>
              <dnsbe:source>BANK_PAYMENT</dnsbe:source>
              <dnsbe:submitted>2022-10-06T12:25:38.280Z</dnsbe:submitted>
            </dnsbe:verification>
-- verification extension
            <dnsbe:verification>
          </dnsbe:contact>
        </dnsbe:create>
      </dnsbe:ext>
    </extension>
    <clTRID>clientref-00002</clTRID>
  </command>
</epp>

Using the extenion without the proper permission will result in an error message and a hitpoint for the registrar.