Internet.nl
Our 100% Rating – What does it mean and how did we get it?
Table of Contents
1. Internet.nl – what is it and why does it matter?
Internet.nl is an open-source, free tool provided by the Dutch Internet Standards Platform (Platform Internetstandaarden), jointly developed and operated by the internet community and the Dutch government. The platform's partners include institutions such as the NCSC-NL (National Cyber Security Centre), NLnet Labs, SIDN (the .nl domain registry), the RIPE NCC, the Internet Society, and the Forum Standaardisatie.
The goal of the tool is exceptionally broad: rather than merely examining a single technological layer (like SSL Labs does with TLS, or the MDN Observatory with HTTP headers), it simultaneously evaluates five fundamental layers of internet infrastructure: the modern IP protocol (IPv6), domain name system authenticity (DNSSEC), encrypted connections (HTTPS/TLS), HTTP security settings (headers, security.txt), and route authorization (RPKI). This breadth of coverage distinguishes Internet.nl from other recognized tools.
It is important to emphasize: Internet.nl is primarily an internet standards compliance test, not a penetration test. The test standard is built upon the mandatory open standards list maintained by the Dutch Forum Standaardisatie, the security guidelines of the NCSC-NL, and the relevant RFC documents of the IETF. A 100% score means that the website and the infrastructure serving it fully comply with this system of standards.
The latest version 1.11 (April 2026) also incorporates the updated TLS guidelines issued by the NCSC-NL in mid-2025, once again modernizing the test standard.
2. What does Internet.nl test – the five categories of the website test
The website test consists of five main categories. Each category receives equal weight in the overall percentage score. Within a category, only REQUIRED subtests affect the score – RECOMMENDED and OPTIONAL subtests do not count towards the score, but they do appear in the report.
| Test category | What does it test? | Weight |
|---|---|---|
| IPv6 | Availability of the web server and nameservers on IPv6, IPv4/IPv6 consistency | Equal weight |
| DNSSEC | Domain signature and signature validity | Equal weight |
| HTTPS / TLS | TLS protocols, cipher suites, certificate, HSTS, DANE, CAA | Equal weight |
| Security settings | HTTP security headers (CSP, X-Frame-Options, etc.) and security.txt | Equal weight |
| RPKI | Route Origin Authorization for the IPs of the web server and nameservers | Equal weight (since 2025) |
2.1. IPv6 – Modern IP address support
IPv6 is the current internet protocol, the successor to IPv4, which solves the global IP address exhaustion problem and provides a better network architecture. Internet.nl checks the following aspects:
- Web server reachable on IPv6: the domain's AAAA record is valid, and the server actually responds to IPv6 connections.
- Nameservers reachable on IPv6: at least two IPv6-capable nameservers are required for full points.
- IPv4/IPv6 consistency: the IPv4 and IPv6 versions of the web server provide identical content and identical behavior – any discrepancy results in a point deduction.
IPv6 support might initially seem like an infrastructural issue, but it has real security and reliability implications: IPv6 implies a more modern network stack and is a prerequisite for future internet accessibility.
2.2. DNSSEC – Domain signature
DNSSEC (Domain Name System Security Extensions) protects DNS records with cryptographic signatures, preventing an attacker from injecting false DNS responses (DNS spoofing, cache poisoning). Internet.nl performs two subtests:
- Domain signed: the domain's SOA record has a DNSSEC signature. If there is a redirection (CNAME), it also checks whether the target domain is signed.
- Valid signature: the signature is cryptographically valid and has not expired.
DNSSEC is especially important for DANE (see below), whose prerequisite is that the domain must be signed. Without DNSSEC, DANE records do not provide reliable protection.
2.3. HTTPS / TLS – Secure connection
This is the most extensive category with the highest number of subtests. Version 1.11 (April 2026) of Internet.nl applies the NCSC-NL 2025 TLS guidelines, which define four security levels: Good, Sufficient, To be phased out, and Insufficient. Good and Sufficient settings pass, To be phased out results in a warning, and Insufficient means a failure.
| Subtest | What does it check? | Level |
|---|---|---|
| TLS version | Only TLS 1.2 and 1.3 – SSL/TLS 1.0/1.1 banned | REQUIRED |
| Cipher suites | Only strong AEAD suites; RC4, 3DES, NULL banned | REQUIRED |
| Key exchange | ECDHE/DHE (Forward Secrecy); weak DH parameters banned | REQUIRED |
| Certificate trust | Issued by a known CA, valid chain | REQUIRED |
| Certificate key length | RSA ≥ 2048 bit or ECDSA ≥ 256 bit | REQUIRED |
| Certificate signature algorithm | SHA-256 or stronger; MD5/SHA-1 banned | REQUIRED |
| HTTP→HTTPS redirection | HTTP requests are directed to HTTPS | REQUIRED |
| HSTS | Strict-Transport-Security header ≥ 6 months max-age | REQUIRED |
| DANE (TLSA record) | DNS-based certificate authentication (TLSA) | REQUIRED |
| CAA record | Certification Authority Authorization DNS record | REQUIRED |
| Extended Master Secret | Strengthened TLS session key according to RFC 7627 | REQUIRED |
| OCSP Stapling | Online certificate revocation check | RECOMMENDED |
| TLS compression banned | Prevention of CRIME vulnerability | REQUIRED |
DANE (DNS-Based Authentication of Named Entities): this is one of Internet.nl's most important and highest-level security requirements. DANE uses the TLSA DNS record (authenticated via DNSSEC) to anchor within the domain name system exactly which chain element the server's certificate must match. This practically eliminates MITM attacks utilizing fake certificates, even if a CA is compromised – an event that could otherwise occur despite a CAA record.
CAA (Certification Authority Authorization): a DNS record according to RFC 8659, which specifies which CAs are allowed to issue a certificate for the domain. This prevents unauthorized certificate issuers from issuing false certificates for the domain.
2.4. Security settings – HTTP headers and security.txt
This category partially overlaps with the areas examined by the MDN Observatory, but Internet.nl evaluates them based on its own standards. Based on NCSC-NL guidelines and current web security standards, it checks the following elements:
| Header / Setting | What does it protect against? | Level |
|---|---|---|
| Content-Security-Policy (CSP) | XSS, code injection, loading unauthorized resources | REQUIRED |
| X-Frame-Options / CSP frame-ancestors | Protection against clickjacking | REQUIRED |
| X-Content-Type-Options: nosniff | MIME-sniffing based XSS attacks | REQUIRED |
| Referrer-Policy | Prevention of sensitive URL data leakage | REQUIRED |
| security.txt (RFC 9116) | Publishing security vulnerability reporting contact | REQUIRED |
security.txt (RFC 9116): this is one of Internet.nl's unique and less commonly known requirements. According to the RFC 9116 standard, a file available at the /.well-known/security.txt path allows security researchers and ethical hackers to easily contact the organization if they find a vulnerability. The file must include a valid Expires field, Contact information, and a PGP signature for full points.
2.5. RPKI – Route authorization
RPKI (Resource Public Key Infrastructure) strengthens the routing security of BGP (Border Gateway Protocol). BGP is the routing protocol that forms the backbone of the internet, with the fundamental weakness that it does not authenticate route announcements – making so-called BGP-hijacking attacks possible, which can lead to the hijacking or disruption of internet traffic.
Through RPKI Route Origin Authorization (ROA) records, the owners of network resources cryptographically anchor which Autonomous System (AS) is permitted to announce a route on behalf of a given IP address block. Internet.nl checks RPKI for three groups of servers:
- Web server IPs: all IP addresses pointing to the web server have a valid ROA.
- Nameserver IPs: all IP addresses pointing to the domain's nameservers have a valid ROA.
- BGP route validity: the actual BGP route announcements match the published ROAs.
RPKI became a scoring factor on Internet.nl in January 2025 (version 1.9). Previously, it was only displayed for informational purposes. This means that domains previously unaffected by the RPKI requirement can no longer achieve a 100% score without it as of this change.
3. The scoring system
Internet.nl's scoring differs significantly from the approach of SSL Labs and the MDN Observatory: while they work with points and letter grades, Internet.nl gives a single percentage value, which is calculated as the equally weighted average of the test categories.
- The score formula: the equally weighted average of the scores of all test categories. Currently, there are 5 main categories (IPv6, DNSSEC, HTTPS, Security settings, RPKI), each with an equal weight of 20%.
- The score of a category: is derived from the pass rate of the REQUIRED subtests within it. If a category consists of 4 subtests and three pass but one fails, the category is worth 75%.
- RECOMMENDED and OPTIONAL subtests: these do not affect the score – but they appear as warnings or information in the report.
- Condition for a 100% score: all REQUIRED subtests must be passed flawlessly.
- Hall of Fame: domains achieving a 100% score are inducted into the Internet.nl Hall of Fame, where the domain is listed with a verifiable, publicly accessible result entry.
4. How do websites generally perform?
The current data from the Internet.nl Hall of Fame provides an accurate picture of the field we measure ourselves against:
- 57,681 domains reach 100% on the website test (according to current Hall of Fame data). Compared to the internet's countless millions of active domains, this is an extremely narrow circle.
- 29,840 domains reach 100% on the e-mail test – this is considerably more difficult, as the complete and correct configuration of mail infrastructure (STARTTLS, DANE, DMARC, DKIM, SPF) is a more complex task.
- 6,800 domains reach the "Champion" status, meaning 100% on both the website and e-mail tests – this is the narrowest, most elite category.
- 76 hosters are on the Hall of Fame for Hosters list, those who achieve 100% on both tests for their own domain and ensure the possibility for their clients to achieve the same.
Internet.nl itself emphasizes that its test standards are continuously becoming stricter: the introduction of RPKI in 2025 affected many domains that previously had 100%. With version 1.11 (April 2026), the NCSC 2025 TLS guidelines were also integrated into the requirements, filtering the field once again.
For context: the Dutch government – which prescribes the Internet.nl standards as a mandatory standard for its own agencies – did not achieve 100% on all of its own websites according to 2024 measurements.
5. What does our 100% rating mean?
A 100% score means that we passed all currently mandatory (REQUIRED) subtests flawlessly across all five categories. Specifically, this assumes the following infrastructural and configuration levels:
IPv6
- The web server is accessible on both IPv4 and IPv6, and the two versions provide consistent content and behavior.
- At least two nameservers have IPv6 availability.
DNSSEC
- The domain's SOA record has a valid DNSSEC signature.
- The signature is cryptographically valid and has not expired – the regular renewal of signatures is continuously ensured.
HTTPS / TLS
- Exclusively TLS 1.2 and 1.3 are enabled according to the NCSC-NL 2025 guidelines.
- Only strong, AEAD-based cipher suites are used: AES-256-GCM, AES-128-GCM, ChaCha20-Poly1305.
- Forward Secrecy is ensured on every connection (ECDHE/DHE).
- Valid certificate chain issued by a trusted CA, with an SHA-256 or stronger signature.
- A valid HSTS header with a max-age value of at least 6 months.
- DANE (TLSA record): DNS-based certificate authentication, protected by a DNSSEC signature. This is one of the most advanced TLS protection mechanisms, which most websites do not implement at all.
- CAA DNS record: specifies which CAs may issue certificates for the domain.
- Extended Master Secret (RFC 7627) is supported.
Security settings
- Content-Security-Policy: strict, default-src based directive.
- X-Frame-Options or CSP frame-ancestors directive.
- X-Content-Type-Options: nosniff.
- Referrer-Policy: with a value appropriate from a privacy standpoint.
- security.txt (RFC 9116): valid, PGP-signed file provided with a current expiration date.
RPKI
- The IP addresses of our Hetzner VPS in Nuremberg have a valid RPKI ROA.
- The IP addresses of the nameservers are also protected by a valid ROA.
- The BGP route announcements match the published ROAs.
The unique feature of the Internet.nl 100% rating compared to other tests is that it does not merely certify the HTTP-level configuration of the web server (MDN Observatory) or its TLS implementation (SSL Labs), but the infrastructural depth of the entire internet presence: the authenticity of the DNS layer (DNSSEC), the security of the routing layer (RPKI), modern IP protocol support (IPv6), and the certificate-binding mechanism (DANE) simultaneously.
6. The limitations of Internet.nl – what the test does not measure
Internet.nl itself explicitly emphasizes: it is primarily a standard compliance test, not a security audit. The following areas are not part of the examination:
- Application-level vulnerabilities: SQL injection, XSS, CSRF, and other OWASP categories.
- Web standards: HTML validity, accessibility, performance.
- Identity standards: SAML, OpenID Connect, and the like.
- Post-quantum cryptography: algorithmic resistance against quantum computers – this is on the Internet.nl roadmap, but is not yet a scoring factor in the current version.
- E-mail tests: the website test does not extend to the e-mail infrastructure (DMARC, DKIM, SPF, STARTTLS) – a separate e-mail test is required for those.
7. Summary
Internet.nl is the most comprehensive, publicly available testing tool for internet infrastructure compliance: it simultaneously evaluates IPv6 availability, DNSSEC signature, TLS configuration (including DANE and CAA), HTTP security headers, security.txt, and RPKI protection.
Our 100% rating certifies that our website and the infrastructure serving it:
- fully comply with the mandatory open standards list of the Dutch Forum Standaardisatie – the very same system of standards that the Dutch government mandates for its own agencies;
- comply with the latest (2025) TLS security guidelines of the NCSC-NL;
- implement DANE, one of the internet's strictest certificate authentication mechanisms;
- run on an RPKI-protected routing infrastructure, eliminating the possibility of BGP-hijacking;
- and belong to the narrow circle – a tiny fraction of the entire internet – of domains that achieve a genuine 100% score.
The three ratings – the 130/100 A+ result of the MDN Observatory, the A+ grade of SSL Labs, and the 100% score of Internet.nl – together verify that our website meets the strictest industry expectations in every relevant dimension up to the current limit of measurability.
Source: Internet.nl – internet.nl · Scoring: internet.nl/faqs/report · GitHub: github.com/internetstandards/Internet.nl
Current version: v1.11.1 · Last substantial update: April 21, 2026. (Integration of NCSC TLS 2025 guidelines)