| This 99 message thread spans 4 pages: < < 99 ( 1  3 4 ) > > || |
|ICANN new transfer policies take effect Nov. 12|
Whenever I get any domain name news that can potentially affect ALL domain name owners, I'll be sure to post it.
Some of you may or may not know by now, but the Internet Corporation for Assigned Names and Numbers (ICANN), the governing body charged with overseeing the Domain Name System, has formulated new domain name transfer policies that will take effect on November 12, 2004:
So what does this mean?
First, the good news: it makes domain name transfers simple and painless because you actually don't even HAVE to confirm it anymore!
All you have to do is go to the new registrar/reseller of your choice, follow their instructions on how to create an account with them (be it online for via fax), pay up, then the new registrar/reseller will notify your current one of the impending transfer.
Ideally, the new one will send an authorization email to the email address of the administrative contact based on the domain name's WHOIS record. Whoever has access to that email must either confirm or deny the request.
But here's the change: whether you receive it or not, the default result is that the registrar or reseller MUST release the domain name from their systems & transfer it to the new one.
Standard exceptions still apply, though:
1. Domain must still be paid. Better you do this at least 30 days before expiration. 2. Domain must not be "locked". 3. Domain must not be in any sort of dispute.
Assuming at least those 3 exceptions don't apply to your domain name, your transfer will push thru without a hitch. Barring any technical hiccups, of course. :)
Now, the bad news: just as it will become easier to move your domain name to your new registrar, it becomes easier for one total unknown stranger to do this without your consent.
So what must you do to prevent this from happening?
1. Contact your registrar or reseller and ask if they have a sort of locking feature that prevents domain transfers from taking place. Most if not all registrars provide this.
If they do, you must log inside your account and activate it yourself. A friend of mine, though, notified me she recently got an email from her domain registrar that they will turn on their locks for all domains on a certain date, so be sure to read any email from your current registrar or reseller regarding this.
2. If your domain name doesn't have this lock, check your domain name's WHOIS contact information (or internal info) & ensure the email address w/in is correct & only you has access to it. This is to ensure you receive the email and follow its instructions on how to deny the transfer.
3. Since ISPs sometimes block legitimate emails from reaching their recipients, be sure to "whitelist" them. If necessary, please contact your registrar or reseller and ask what is their specific email address that'll be sent to you requesting confirmation or denial of the transfer.
I'll keep you all posted as the date when the transfer policies takes effect looms near. Meanwhile, please be sure to inform as many people as you can about this to prepare for it.
Take care of your domain name/s!
[edited by: Brett_Tabke at 8:45 pm (utc) on Sep. 13, 2004]
[edit reason] fixed formating [/edit]
The 4-day Thanksgiving weekend is just around the corner and should provide some greater insight into just how much this new policy becomes a problem.
Does this mean the domain is locked, or not?
My registrar's info is somewhat contradictory and un-informative.
|Domain status: |
Does this mean the domain is locked, or not?
That's exactly what you DO want to see. You are safe.
Thanks. I have too many projects on the go right now for other people to deal with my own domain issues.
I am waiting to hear if my Registrar will lock all names. A couple of months ago they said they wouldn't. Now, if they don't I'm moving a few hundred names to one that will.
Can someone recommend a reliable Registrar for .com AND .co.uk names, that provides a lock service? Feel free to send me a sticky-mail if you prefer.
Network Solutions you could transfer away domains without approval, they sent a email saying you did not click this link the domain would be transfered ;) And well SPAM is so high on email addresses used for whois that most domains tested would transfer.
One of my domains says "Lock Status: ACTIVE"
I'm a bit confused as to what this means. Should I ask my registrar to change the lock status? Thanks.
ACTIVE means that you are potentially at risk for a domain hijacking. Ask your registrar to change the status to REGISTRAR-LOCK or move your domains to a registrar that will lock them.
Thanks for the reply, nativenewyorker. It is appreciated. I will look into this.
that's insane... are you sure about that? I remember MS "forgetting" one of their domains once, almost expiring... so this could happen to everybody and to every small or big corporation.
|Network Solutions you could transfer away domains without approval |
If you have a domain at DotRegistrar, it may show as:
The same domains shows as Status: ACTIVE in an whois search using another whois tool/website like whois dot sc.
Woah woah woah woah WOAH! Take it easy, everyone. Look carefully at the document ... here, I'll help:
THE LAYPERSON'S OVERVIEW [icann.org]
The relevant blurb:
|If you wish to transfer your domain name from one ICANN-accredited registrar to another, you may initiate the transfer process by contacting the registrar to which you wish to transfer the name. This registrar is required to confirm your intent to transfer your domain name using Initial Authorization for Registrar Transfer. If you do not respond or return Initial Authorization for Registrar Transfer, your transfer request will not be processed. |
THE APPARENTLY CONFLICTING DOCUMENT [icann.org]
Note: The second document predates the first ... but it is of no consequence.
The relevant blurb:
|Failure by the Registrar of Record to respond within five (5) calendar days to a notification from the Registry regarding a transfer request will result in a default "approval" of the transfer. |
In document #1, we see that "If you do not respond or return Initial Authorization for Registrar Transfer, your transfer request will not be processed."
In document #2 it seems to be limited by the relevant blurb. But people ...
this is a two-part process! Yay! :)
In document #1, it says that YOU, as the Administrative Contact of Record must agree to the transfer by responding to an email sent to the Administrative Contact of Record.
Next, FOLLOWING RECEIPT OF AUTHORIZATION TO TRANSFER FROM YOU, document #2 says that if the Registrar of Record does not respond within 5 calendar days, then the transfer will go through, as the default action.
It's a bonus for us!
Now, your transfer won't be crapped on by the failure of your CURRENT registrar to acknowledge the email sent by your FUTURE registrar. Previously, a registrar could "forget" or "miss" an authorization request, and keep your domain. Now, in addition to your permission, which you have always needed to give for a transfer and will continue to need to do, if the registrar "misses" or "forgets" to respond to the transfer request, your transfer will go through just as you intended.
If YOU reply in the negative or don't respond to the initial Administrative Contact of Record email (because you initiated the transfer and then went on vacation or because it's a bogus request), you'll never get to the second step involving the current registrar, and the transfer will NOT go through.
If YOU reply in the positive, by clicking on the link to authorize the transfer, THEN it goes to the current registrar, and if they respond in the affirmative or do not respond at all within 5 calendar days, your request goes through per your instructions.
Do you really think that ICANN would make it easier to hijack a domain?
The automatic locking of all domains by NetSol and others is a move on their part to make it more difficult for us to move to a lower-priced registrar. Don't fall for it.
Get some sleep tonight, folks. :)
|Mr Bo Jangles|
|Domain locking is a very good thing, and I am very happy that many registrars are now doing this by default. Of course - it is in THEIR best financial interest to retain their customers, as well as helping their customers avoid fraudulent transfers. |
Regretably Tedster, not always. You only need to be part of poor suffering group who have domain names with TotalNIC/PacNames to realise what a mess, they/we are in.
Despite multiple threats of legal action, pleas, letters and e-mails to them and ICANN, letters to State and Federal Fair Trading, none of these people can get these 'worms' to unlock their domains. It is an appalling situation in this day and age, and one which ICANN could fix in a heartbeat, but remain removed from.
Is it true that .info and .biz do not support locking?!?
|If YOU reply in the positive, by clicking on the link to authorize the transfer, THEN it goes to the current registrar, and if they respond in the affirmative or do not respond at all within 5 calendar days, your request goes through per your instructions. |
I see a little bit of spin here with the "your request goes through per your instruction". What if it's not my instructions?
Irrespective of what reply I send the current registrar if the registrar messes up and doesn't reply then I lose my domain!
|if the registrar "misses" or "forgets" to respond to the transfer request |
... then you are scr*wed.
I'm trying to figure this bit out. ;) Or have I understood this all wrong?
for this clarification.
Yes, this would work perfectly well, if ... if ...
>> the registrar to which (you or something else) wish to transfer the name
will work properly / honestly / not playing false games pretending and faking to the Registrar-of-record that there is a domain owner's confirmation when actually there is not.
*Most* registrars will surely work well, surely almost all, but ... really all? Those back there in Absurdistan, too?
Will someone, please, confirm that I am just paranoid, and everything will be fine ...
So stupid script ..what happens if you get a amail asking if you agree to transfer ..from aregistrar either current or posssible future who send you their mail in another language ..You go to babelfish ( which translates it wrog) and you approve ..or you "guess" and don't do anything ..and the transfer happens anyway ...
I can't quote the details exactly cos they were gethens in the previous thread that I linked to ..BUT he did send me the mail which he got in French ( he didn't know his reseller "resold" for a French registrar )..AND IT WOULD HAVE TRANSFERED HIS DOMAIN TO SOMEONE ( NOT HIM ) WHO INITATED THE REQUEST TO TRANSFER ...IF HE DID NOT REPLY ...
The problem is not with locking your own ..the problem some are having is with registrars that sell locked by default ..and give no one the key ...
I stickied Kapow with a registrar and one of their reseller who are cheap , reliable and Iknow from personal experience their lock/unlock is your choice only and you can change it as many times as you want ..with just one click ...
inspite of my current problems with working around an attack ( heh heh ..starting to see just what it altered ..got to respect the coding abilities of the "hacker" even if it is a PITA ) ...and as a consequence ..I am not here much ...
Nevertheless any one who wants their url's is welcome to sticky me .. can't post their name ( TOS) ....I have no connection with them at all ( except that I use them ) ....and in 5 years they haven't put a foot wrong ...
And they communicate in clear , easy ,English ...( no confusion over what their lock panel says ) ...!
Please forgive me if this has already been answered.
But in the case where I want to transfer a domain from another registrar to my main one, I go to the "other" registrar, and unlock the domain. I put in my transfer request, etc.
But what is to keep some other person from submitting a transfer request at the same time? Since the lock is a public record and since there are services that monitor the status of a domain, anyone could see that the lock has been removed, and then put in a transfer.
So how does that keep the domain from being stolen?
Because your transfer request has already started and you have already received the email asking for confirmation ..therefore you are expecting the transfer and will normally have replied that it is OK ..
IE ..you have already started the process so even if someone else sees the "lock" status change ( which is unlikely as the change of "lock" status will normally only be seen after the transfer has taken place ) ...
And two requests from two different addresses are enough to make even the dumbest registrar sit up and say "something smells" and get back to you ..not the other guy!
( remember ..you can spoof an email address ..but they reply to the real one ..thats how you can get so much crap about "a message you sent could not be delivered...yadda yadda" ..because some "zombie" which had your addy in it sent out a mail saying it was from you ..but you get the auto reply )
In spite of what it says on many sites ..about transfers taking upto 7 days yadda yadda ..
Unless the current registrar decides to get " difficult" about it ..tranfers go through in 24 to 48 hours ...some times less ..( the public record wont change until the transfer process is finished ..only then does it update ..unless you unlock and then go to sleep for a month ..in which case you get what you deserve )..
Just got a reply from my Registrar. They do not provide a locking service, they are deciding what to do about the new ICANN rules and will let me know.
Hmmm looks like I need a new Registrar
My question was overlooked: .info and .biz (+others?) can NOT be locked. At least with my registrar. Is that normal?
I've noticed in the doc <http://www.icann.org/transfers/policy-12jul04.htm> that it states:
Failure by the Registrar of Record to respond within five (5) calendar days to a notification from the Registry regarding a transfer request will result in a default "approval" of the transfer.
In the event that a Transfer Contact listed in the Whois has not confirmed their request to transfer with the Registrar of Record and the Registrar of Record has not explicitly denied the transfer request, the default action will be that the Registrar of Record must allow the transfer to proceed.
So, it is written as though if an email is sent to the "Transfer Contact" (bad wording surely? It should be "Registrar Email"?) and they don't reply, then they (your Registrar) have to release it.
It just means you don't have to have confirmation from the Registrar anymore...I guess that's useful for some. Thanks to "StupidScript" for pointing this out.
Just received an email from GoDaddy and in their wordings They attempt to contact you for a period of 5 days and then transfer. There is no approval required.
StupidScript is right. You guys are confusing "Registrar of Record" with "Registrant". Unless you own a company like Godaddy where you sell domain names, YOU are not the Registrar of Record. The whole 5 calendar days thing or else approval only applies to the Registrar of Record.... which again is not you.
Why in the world would you want a "Registrar of Record" to block your transfer because they haven't responded in 5 days?
This change makes you NO LESS susceptible to domain name transfer fraud. You still have authorize the transfer yourself at the new registrar and if you don't approve it (of which there is NO time limit whatsoever) then the transfer will NOT take place and the current registrar of record will never receive the transfer request that they must respond (in 5 days) to either.
If you were comfortable with the protection of the old rules, then you are admitting that you find it acceptable for your current registrar to not approve domain transfers that you authorized... whether they be mistake or not. Your current registrar can't possibly know whether it was something you (or your client) WANTED to do or if it was because you (or your client) was TRICKED into doing.
The bottom line is that any GOOD registrar will STILL have 5 days to check whether or not they believe it was a fraud attempt. And any BAD registrar will no longer be able to hold onto your domain when you actually ARE trying to transfer it by just not responding to the transfer request. YOUR part of the whole process hasn't changed one bit.
Can't see anything at all bad about that.
A Transfer Request with a unique transaction ID is sent from the current Registrar of Record to the Administrative Contact (Transfer Contact) email address.
A reply from the Administrative Contact email address containing the unique transaction ID MUST be received by the current Registrar of Record.
The current Registrar of Record may then authorize the transfer to the new Registrar of Record.
You will receive notifications of each transaction at the Administrative Contact email address.
In all cases, registrars are required to notify the central authority (ICANN and the DNS community) of each transaction. Failing to do this will result in the loss of the registrar's authority.
Current security mechanisms include (but are not limited to):
1) Your Account
You must log into your account with your registrar(s) to make changes to the domain contact information.
(No login = no changes. Some registrar's allow requests for changes to be sent from the Administrative Contact email address.)
All changes must be approved by a reply from the Administrative Contact email address including changes to the Administrative Contact email address itself.
(Can't collect that email address? Then there are more personal, direct means of requesting the changes, secured by more personal, direct methods.)
2) Your Email
People attempting to hijack your domain must have access to the Administrative Contact email address for collecting and replying to the authorization resuest. Sure they can spoof your address to send a transfer request to the registrar, but if they can't reply to the authorization with its unique transaction ID, the transfer will be denied.
If your Administrative Contact email account is not secure, that's beyond ICANN's scope.
Anecdotally, I have been prevented from transferring domains from more costly to less costly registrars in the past because of a failure by the registrar to authorize my request. It sometimes happened when I tried to transfer a domain close to the 30-day-before or 60-day-after the domain's expiration date. You put in your request, you respond to the email, nothing changes for a week, you request info from the registrar, they don't reply, soon, a month has passed and your domain is locked because it's so close to the expiration date. You're stuck paying the higher fee and the domain is stranded at the old registrar for 90 more days until you are allowed to attempt another transfer.
This new approach by ICANN gives us domain owners more control over our property, and frees us from an acknowledged bottleneck in the transfer process.
As I said before:
if the registrar messes up and doesn't reply then I lose my domain!
Transfering it by default is daft. This is enormously risky and the more it's explained the riskier it sounds because the explanations seem to focus on instances where I want the transfer but the registrar isn't playing ball.
The major issue with respect to the new regulations is that the transfer will happen by default if there is no reply within 5 days. So, if someone spoofs my email addy, that doesn't offer the slightest protection in hell if I've taken two days off work because the email will arrive on a Friday evening, I don't reply, so the registrar sits tight and when I return on Wednesday I've lost my domain because the 5 days have lapsed.
It's also risky if I don't happen to be on holiday. If someone spoofs my email addy, I get an email, I immediately reply to it and deny that I requested the transfer but the registrar screws up and doesn't send their reply within 5 days ...I lose my domain.
Sounds stupid to me. Does ICANN make any money when cases go to arbitration? Do WIPO et al have to pay ICANN a cut for every case they handle?
Macro: - you've got the wrong end of the stick. The registrar doesn't do anything until it gets a "go ahead" from you...so if you're away from your machine for 20 days and someone requests a transfer...you're sent an email asking to accept by way of a specific link in the email, and if you don't do anything then nothing will change.
>>The registrar doesn't do anything until it gets a "go ahead" from you
Yes, but if the registrar doesn't do anything for 5 days the domain is transfered. Is that incorrect?
As you've said (and welcome to WW, BTW):
|Failure by the Registrar of Record to respond within five (5) calendar days to a notification from the Registry regarding a transfer request will result in a default "approval" of the transfer |
And that is irrespective of what I have or haven't done.
>>Yes, but if the registrar doesn't do anything for 5 days the domain is transfered. Is that incorrect?
Yes, you're incorrect...
>> And that is irrespective of what I have or haven't done.
No, it isn't. This 5 day larky only happens after the registrar has received an approval from you. Here's a breakdown of 2 scenario's:
1. email is sent to your admin address requesting authorisation for transfer.
2. you click the link and approve the transfer.
3. the registrar has 5 days...if they don't respond, then it automatically is approved.
1. email is sent to your admin address requesting authorisation for transfer.
2. you read the email but do nothing and delete it.
3. carry on, nothing changes!
Does this make a bit more sense?
I'm a bit confused reading through this thread as to what the actual advice of steps to take is. Any clear advice apreciated.
Do we contact the person hosting the domain or the registrar (e.g. Nominet)
Also where is the best place to go to check the who is details to see if they are locked.
ricahrd, thanks for that :)
I've read through it all again and the only way I can it working like you described is this:
If the original email to the Administrative Contact is sent by the Acquiring Registrar rather than the Registrar of Record. If the Registrar of Record is the one sending the email request to the Administrative Contact then clicking on "deny" has no effect if the Registrar of Record is lethargic and does not act within 5 days - the Administrative Contact loses his domain.
If it is the case that the Acquiring Registrar requests the transfer from the Registrar of Record only after the Administrative Contact has clicked "accept" (in the email he got from the Acquiring Registrar) then I have no problem with the Acquiring Registrar getting the domain after 5 days of the Registrar of Record receiving the request from the Acquiring Registrar.
But the wording is ambiguous in that it says: "Your current registrar may also choose to confirm your intent to transfer". This does not make clear that the Registrar of Record may ask for confirmation in addition to what you have provided to the Acquiring Registrar.
So if you get an email from the Registrar of Record without first having received an email from the Acquiring Registrar then that's cause for alarm. This is based on the assumption that it has to be the Acquiring Registrar - and the Acquiring Registrar only - who first contacts the Administrative Contact with a "request to transfer" email.
| This 99 message thread spans 4 pages: < < 99 ( 1  3 4 ) > > |