| This 99 message thread spans 4 pages: < < 99 ( 1 2  4 ) > > || |
|ICANN new transfer policies take effect Nov. 12|
| 6:19 pm on Sep 9, 2004 (gmt 0)|
Whenever I get any domain name news that can potentially affect ALL domain name owners, I'll be sure to post it.
Some of you may or may not know by now, but the Internet Corporation for Assigned Names and Numbers (ICANN), the governing body charged with overseeing the Domain Name System, has formulated new domain name transfer policies that will take effect on November 12, 2004:
So what does this mean?
First, the good news: it makes domain name transfers simple and painless because you actually don't even HAVE to confirm it anymore!
All you have to do is go to the new registrar/reseller of your choice, follow their instructions on how to create an account with them (be it online for via fax), pay up, then the new registrar/reseller will notify your current one of the impending transfer.
Ideally, the new one will send an authorization email to the email address of the administrative contact based on the domain name's WHOIS record. Whoever has access to that email must either confirm or deny the request.
But here's the change: whether you receive it or not, the default result is that the registrar or reseller MUST release the domain name from their systems & transfer it to the new one.
Standard exceptions still apply, though:
1. Domain must still be paid. Better you do this at least 30 days before expiration. 2. Domain must not be "locked". 3. Domain must not be in any sort of dispute.
Assuming at least those 3 exceptions don't apply to your domain name, your transfer will push thru without a hitch. Barring any technical hiccups, of course. :)
Now, the bad news: just as it will become easier to move your domain name to your new registrar, it becomes easier for one total unknown stranger to do this without your consent.
So what must you do to prevent this from happening?
1. Contact your registrar or reseller and ask if they have a sort of locking feature that prevents domain transfers from taking place. Most if not all registrars provide this.
If they do, you must log inside your account and activate it yourself. A friend of mine, though, notified me she recently got an email from her domain registrar that they will turn on their locks for all domains on a certain date, so be sure to read any email from your current registrar or reseller regarding this.
2. If your domain name doesn't have this lock, check your domain name's WHOIS contact information (or internal info) & ensure the email address w/in is correct & only you has access to it. This is to ensure you receive the email and follow its instructions on how to deny the transfer.
3. Since ISPs sometimes block legitimate emails from reaching their recipients, be sure to "whitelist" them. If necessary, please contact your registrar or reseller and ask what is their specific email address that'll be sent to you requesting confirmation or denial of the transfer.
I'll keep you all posted as the date when the transfer policies takes effect looms near. Meanwhile, please be sure to inform as many people as you can about this to prepare for it.
Take care of your domain name/s!
[edited by: Brett_Tabke at 8:45 pm (utc) on Sep. 13, 2004]
[edit reason] fixed formating [/edit]
| 7:03 pm on Nov 10, 2004 (gmt 0)|
ricahrd, thanks for that :)
I've read through it all again and the only way I can it working like you described is this:
If the original email to the Administrative Contact is sent by the Acquiring Registrar rather than the Registrar of Record. If the Registrar of Record is the one sending the email request to the Administrative Contact then clicking on "deny" has no effect if the Registrar of Record is lethargic and does not act within 5 days - the Administrative Contact loses his domain.
If it is the case that the Acquiring Registrar requests the transfer from the Registrar of Record only after the Administrative Contact has clicked "accept" (in the email he got from the Acquiring Registrar) then I have no problem with the Acquiring Registrar getting the domain after 5 days of the Registrar of Record receiving the request from the Acquiring Registrar.
But the wording is ambiguous in that it says: "Your current registrar may also choose to confirm your intent to transfer". This does not make clear that the Registrar of Record may ask for confirmation in addition to what you have provided to the Acquiring Registrar.
So if you get an email from the Registrar of Record without first having received an email from the Acquiring Registrar then that's cause for alarm. This is based on the assumption that it has to be the Acquiring Registrar - and the Acquiring Registrar only - who first contacts the Administrative Contact with a "request to transfer" email.
| 7:48 pm on Nov 10, 2004 (gmt 0)|
=====In reply to Edd1:=====
>>Do we contact the person hosting the domain or the registrar (e.g. Nominet)
You contact the registrar...but Nominet domains are not affected because they use IPSTAGs so you have to ask your current IPSTAG provider to change the TAG before a transfer can happen in the first place.
>>Also where is the best place to go to check the who is details to see if they are locked.
try <http://www.allwhois.com/> but also if you want to know the registrar go to <http://www.internic.net/whois.html> and then from there you can jump to the registrar whois which may give you more info than the allwhois site above.
=====In reply to Macro=====
>>If the Registrar of Record is the one sending the email request to the Administrative Contact then clicking on "deny" has no effect if the Registrar of Record is lethargic and does not act within 5 days - the Administrative Contact loses his domain.
But if you don't accept the transfer, it doesn't go back to them for "processing", so what's the problem?
>>But the wording is ambiguous in that it says: "Your current registrar may also choose to confirm your intent to transfer". This does not make clear that the Registrar of Record may ask for confirmation in addition to what you have provided to the Acquiring Registrar.
Yes, true, this isn't clear enough. I believe this only applies if you no longer can access the admin email account, or it's now invalid. You can then manually send proof to the registrar who can then send approval (god know's how) to the new registrar.
>>So if you get an email from the Registrar of Record without first having received an email from the Acquiring Registrar then that's cause for alarm. This is based on the assumption that it has to be the Acquiring Registrar - and the Acquiring Registrar only - who first contacts the Administrative Contact with a "request to transfer" email.
I can't see when you would receive a mail from your existing registrar, it's always going to come from the new registrar.
It's not plain sailing this!
| 7:55 pm on Nov 10, 2004 (gmt 0)|
The big problem here is the combination of:
1) A dodgy aquiring registrar in collusion with Malory who wants your domain name
2) Your registrar (of record) being some sloppy company who's automated email system is broke more often than it's working and doesn't offer a REGISTRAR-LOCK feature.
Ok, for sure the aquiring registrar (1) must contact the "Administrative Contact" of the domain before initiating the transfer; but that means squat if he's bent.
So, assuming that said bent aquiring registrar has "imagined" your acceptance to transfer the domain; he then initiates the transfer.
Now this is where the problems starts.
Your ever-so-slightly-useless registrar of record; who's automated email system is broke more often that it's working loses the request to transfer to the ether. 5 days pass, there is no response and Malory has got your domain name.
| 8:06 pm on Nov 10, 2004 (gmt 0)|
Yes, you're quite right there, but I thought that if the registrar didn't comply with certain rules then ICANN would remove all their rights as a registrar, so you'd get your name back (although of course after some immense inconvenience!)
| 8:46 pm on Nov 10, 2004 (gmt 0)|
>>but I thought that if the registrar didn't comply with certain rules then ICANN would remove all their rights as a registrar
Er, have you seen their rules on dispute resolution? They say just "if you've got a problem contact the registrar"! And if you don't like them go to another registrar.
Just don't call us, we can't be bothered
| 9:07 pm on Nov 10, 2004 (gmt 0)|
well it certainly won't hurt to lock all the domains anyway, particularly with my provider.
probably the sensible option, for those that can.
| 9:53 pm on Nov 10, 2004 (gmt 0)|
OK so what is the bottom line here - assuming the domain is not locked...
If Joe goes to his registrar (registrarA) and says I want to request the transfer of thisdomain.com to my account here.
Does registrarA send an email to the admin contact of the domain - and if they dont get a reply the transfer request is cancelled?
Or does registrarA contact registrarB who has the domain and says there is a request transfer for this domain and then registrarB sends an email to the admin contact and if they don't reply in 5 days then registrarB goes ahead and transfers the domain to registrarA automatically?
Or is it a combination of the 2 somehow?
Please explain the bottom line in layman terms.
It sounded like from everything I've read that the bottom line is that there MUST be some kind of confirmation from the admin contact otherwise nothing happens.
| 10:10 pm on Nov 10, 2004 (gmt 0)|
>> It sounded like from everything I've read that the bottom line is that there MUST be some kind of confirmation from the admin contact otherwise nothing happens.
This is what I believe, but I can't say for sure. The ICANN docs read to me that the admin contact is emailed and if nothing is heard, nothing happens. The line "Your current registrar may also choose to confirm your intent to transfer using Confirmation of Registrar Transfer Request." I think is mis-worded because I don't think they can confirm the same document the admin contact is emailed. I'm fairly certain the Registrar doesn't receive that "Confirmation of Registrar Transfer Request" until the admin contact has clicked the link in the mail to them.
| 11:27 pm on Nov 10, 2004 (gmt 0)|
It seems many are confused over the new transfer policies. I will do my best to help clarify the issues surrounding it.
Feel free to read it slowly or re-read it if necessary.
There are 3 parties involved in a domain name transfer: the registrant (the registered owner of the domain name), the registrar (the domain name provider who will manage the domain name), and the registry (the authoritative database record holder for a domain name extension).
The burden of transferring a domain name to another registrar first falls on the gaining registrar. The rules require the "Transfer Contact" on record to confirm the request, be it the Registrant or administrative contact depending on the registrar.
The request must be started with them first and fully complied with by the registrant or administrative contact on the domain name's record from the losing registrar in the manner the gaining one sees fit.
So virtually anyone can start the request with the gaining registrar. But the gaining one eventually needs confirmation from the domain's registrant or administrative contact, be it by fax or email.
Assuming the registrant or the administrative contact confirms the request with the gaining registrar, the gaining one will notify the Registry about this. The Registry will then notify the losing registrar about the transfer request.
The current rules require the losing registrar to notify the registrant or administrative contact on record to confirm or deny the request, preferably via email. 3 things can happen:
1. The registrant or administrative contact receives the authorization email and approves the transfer.
2. The registrant or administrative contact receives the authorization email and denies the transfer.
3. The registrant or administrative contact does not receive the authorization email at all.
If no. 2 or 3 occurs, the domain name will not be transferred away from the losing registrar.
When the new transfer rules take effect on November 12, no. 3 will virtually be disregarded. If the losing registrar notifies the registrant or administrative contact on record about this and they don't get even a reply, the transfer will push thru.
Standard deny transfer conditions still apply:
1. Domain name has been registered less than 60 calendar days.
2. Domain name has expired. (currently you can, but the new transfer policies will change that)
3. Domain name is locked for whatever reason, be it manual or by the registrar due to a dispute.
The new policies apply to all generic Top-Level Domains (gTLDs) like com, net, org, info, and biz at the very least. Country code extensions will depend on their respective registries.
All gTLDs can be locked and is currently offered only at the registrar level.
Hope this helps. Feel free to correct or disagree. ;o)
| 11:32 pm on Nov 10, 2004 (gmt 0)|
All that's left then is accounting for registrar mistakes, delays and incompetence. And keeping our fingers crossed that there isn't an attempt at a fraudulent transfer.
And we can always complain to the registrar if we are unhappy with the registrar.
Why does "Alice" and "Wonderland" come to mind?
| 1:55 am on Nov 11, 2004 (gmt 0)|
Macro, you were correct in your comment that the intended NEW registrar sends the authorization notices to both you and your current registrar. I think I erred, in my last post on that subject.
Using the admin contract address, you respond to the authorization mail sent to that address from the NEW registrar.
The OLD (current) registrar says, "Screw you! We're making you pay another $35 to us instead of letting you transfer to that $7 registrar", and ignores the authorization request.
Under the old system, your domain was not transferred.
Under the new system, the NEW registrar says, "Hey the admin contact requested the transfer, the old registrar is ignoring our authorization requests, the admin contact acknowledged our auth notice ... let's do the transfer."
The only weak link here (as has always been) is the admin contact email account. Heaven knows I've been handed hundreds of domains to manage where nobody knows how to collect the admin contact email, and I've had to practically sign my name in blood to change it to a collectable address.
That won't change.
Keep track of your admin contact info, collect the email, make sure it's as hack-proof an email address as you can, and check your domains' contact info at least once per month. It's automatable!
Bottom line: now you do not need to rely on the honesty of a registrar to be able to transfer your domains. You will spend the exact same amount of time on your end of the transfer as you did before. You have the same security as you ever did, And you are more free to take advantage of registration price fluctuations than you ever did.
| 2:07 am on Nov 11, 2004 (gmt 0)|
Real quick ... :)
The way it works for me, for example, is like this:
1) I have a domain registered with, say, SomeRegistrar.
2) I wish to transfer it to MyRegistrar.
3) AS LONG AS THE DOMAIN IS NOT LOCKED, either because the date is within 30 days of the domain expiration or within 60 days of a re/new registration, I can proceed.
4) I go to my account interface at MyRegistrar, and hit the "Add New Domain" button.
5) I indicate the domain name, and "register" the domain with MyRegistrar for however long I wish. (The cost of the new registration is pro-rated to accomodate the amount left on my SomeRegistrar registration. I accept $15/year because I know MyRegistrar will adjust that amount to absorb the $30 still left at SomeRegistrar. Or something like that. They adjust it, is my point.)
6) MyRegistrar sends me an authorization email at the admin contact address.
7) MyRegistrar sends an authorization email to SomeRegistrar.
8) I reply to the email as instructed to allow the transfer.
9) SomeRegistrar does/doesn't reply to the email at all.
Who cares? I requested and authorized the transfer, so MyRegistrar adds the domain to their nameservers, and passes along the paperwork to ICANN and the DNS community.
Aahhh. I take comfort in knowing that if I don't reply to a transfer request my SELF, then it does not go through.
FINALLY I can take that vacation ... :)
<edited for anonymity>
| 8:37 am on Nov 11, 2004 (gmt 0)|
Now that's my third attempt within this thread: .info, .biz and others can NOT be locked.
Is this correct?
| 10:46 am on Nov 11, 2004 (gmt 0)|
>>Now that's my third attempt within this thread: .info, .biz and others can NOT be locked.
>>Is this correct?
I only have com, net, org, info and biz gTLD names but I am able to lock them all. I cannot confirm locking availability for the other gTLDs.
| 1:56 pm on Nov 11, 2004 (gmt 0)|
Now that's my third attempt within this thread: .info, .biz and others can NOT be locked.
Is this correct?
Ideally all gTLDs can be locked. But that depends on the registrar you're with.
At least the top 3 based on stats do lock all gTLDs. I don't know about the others.
| 2:43 pm on Nov 11, 2004 (gmt 0)|
So it IS the registrar then, thanks.
| 5:41 pm on Nov 11, 2004 (gmt 0)|
Just a few hours left before the new transfer rules take effect, everyone. Be ready.
Whatever happens, I love you guys. ;o)
| 8:00 pm on Nov 11, 2004 (gmt 0)|
My Registrar just informed me they are:
- Locking all names
- Providing a lock/unlock interface
I'm happy now and staying with them :)
Glad I don't have to move a couple of hundred names.
| 10:47 am on Nov 12, 2004 (gmt 0)|
May be they read threads here ..it's not like any registrar can't provide this ..they either won't so you gotta ask "what are their motives and do I trust them " ..Or they "can't be bothered" ...
Or they are reselling the service as part of a "come on" and actually don't know enough technically how to put it in place ..( this latter is way more common than is nice to beleive ) ...
| 4:26 pm on Nov 16, 2004 (gmt 0)|
For those that think you must respond to the registrar before the name will be transfered here is a small quote from an email I just received from a *large* registrar:
|When we receive a request to transfer your domain name to a new registrar, we will still attempt to contact you to confirm that you authorized the request. However, if you do not respond, or are not able to respond within 5 days, your domain name WILL be transferred. |
This registrar is not locking domains by default.
| 4:45 pm on Nov 16, 2004 (gmt 0)|
If I got that reply in times like these I would haul my domains straight to a Registrar that will provide a full and safe service.
| 4:59 pm on Nov 16, 2004 (gmt 0)|
my provider said they were automatically going to lock all domains last Friday, but strangely only half of my domains are locked, some are still unlocked...very odd. I also emailed them to clarify the 5 day situation because they sent an email out to all members stating that domains are automatically moved if the admin contact doesn't respond within 5 days...this still doesn't seem to be the case but no-one (I guess ideally ICANN) has clarified this properly.
It all seems a big mess to me, it's quite amazing that so many "big" companies are stating info relating to the 5 day policy with no real "proof" as it were. It seems to have spiralled from one person's (possibly mis) posting.
But obviously we still have no confirmation either way.
well, tomorrow is the first "day 5" so we'll see if anyone's been caught out or not I guess.
| 5:08 pm on Nov 16, 2004 (gmt 0)|
A snippet from this statement: [icann.org...]
(Bullet Point 3) - "Enabling registrants to transfer their domain names without having to "double-confirm" the transfer once the transfer has been reliably authenticated per the new policy."
That's fairly conclusive that the 5 day issue relates to the registrar, not the admin contact. Also, if anyone's interested "bbc.com" (british broadcasting corporation) is unlocked...it shows (I hope) that they have looked at this and decided the same. I would imagine there are loads of "big corporations" out there with unlocked domains who will be perfectly ok.
| 10:46 am on Nov 17, 2004 (gmt 0)|
I've just received comment from my provider who states (and not entirely grammatically correct):
The policy is actually stated on the following URL :
The points made are that some registrars may use their own choice of
confirming the admin contact agrees to the transfer which may not always
result in the actual admin contact receiving notification. Normally the
current registrar would then contact the admin contact for a second
confirmation, in the new procedure this will not happen so it is
possible that a domain can be transferred without authorisation for the
| 11:44 am on Nov 17, 2004 (gmt 0)|
|...so it is possible that a domain can be transferred without authorisation from the admin contact |
|...automatically moved if the admin contact doesn't respond within 5 days |
Consider the above quotes in conjunction with the spam plague,
- How many spam filters have you seen where legitimate email is marked as spam?
- How may Admin contacts are not going to recieve their transfer request because of bad spam filters (or other reasons)?
How many domains are going to be lost?
| 11:47 am on Nov 17, 2004 (gmt 0)|
>> How many domains are going to be lost?
We're on the "fifth day" now, but I can't see any news reports anywhere...I guess it's just a matter of hours...
| 11:51 am on Nov 17, 2004 (gmt 0)|
>>"bbc.com" (british broadcasting corporation) is unlocked...it shows (I hope) that they have looked at this and decided the same
Or that they haven't looked at it (BBC Search [bbc.co.uk]) and - like most major organisations - can't look at it till they've formed a committee to examine the issue and make a recommendation to the board (and that's if they are even remotely aware of this news). And these things take years.(
| 8:51 pm on Nov 18, 2004 (gmt 0)|
|a domain can be transferred without authorisation from the admin contact |
This is correct. A transfer request confirmation is sent to the Owner Contact email ... not the Admin. Ever it was thus.
The "5 day" rule does indeed apply only to the registrar FROM whom (not TO whom) the domain is being transferred. Your new registrar can let you have as much time as they like to confirm the transfer request, but once you have done so, the old registrar has 5 days to confirm the transfer request ... a confirmation which is now completely unneccessary ... if the old registrar does nothing to confirm the transfer request, the transfer goes through on your authorization alone.
For instance, I just transferred a few domains from Network Solutions to Melbourne IT. I made my request with Melbourne by registering the domains with them, they sent me (Owner Contact) a confirmation email that gave me 15 days to respond (if I did not respond or responded in the negative, no transfer). I responded in the positive, and shortly after received an email from NetSol. In that email, it noted that to allow the transfer to proceed, do nothing. To quash the transfer, click on the embedded link WITHIN 5 DAYS of the email date. I did nothing. 5 days later, my domains are with the new registrar.
Domain locking is not a security measure, it's a registrar business-retention measure. It adds no significant protection to your domain name, as the transfer authorization process uses your Owner Contact email account for any request. You need to authorize domain un-locking just like a transfer request, unless your registrar lets you unlock or lock using the "secure" online interface to your account ... to which you must be logged in ... securely.
<edit>PS: Just this minute, I received a phone call from Register.com regarding a couple of the domains I was transferring FROM them to Melbourne. They asked why I was transferring, and made a reduced fee offer (which I politely refused). He said, "Well okay then, I'll go ahead and authorize the transfers." to which I replied, "But under the new ICANN rules you really don't need to authorize the transfer, right? It will go ahead with my authorization alone, correct?" He said, "You mean the 5-day rule? You're right, the transfer would go ahead on your sayso alone, but we can help move it along more quickly if we acknowledge the transfer request. Our final bit of customer service for you." Of course, I said, "Thank you."</edit>
| 9:22 pm on Nov 18, 2004 (gmt 0)|
Thanks for that StupidScript, I think I finally have a clear understanding of what happens now. 5 days transfer is very speedy too, that will be handy. Luckily I have already changed most of the "owner" email addresses so messages direct to me...still very odd...so what does the admin contact do now? Just sharpen pencils in the office? Considering you have "Owner", "Admin", "Tech" and "Billing" contacts, it seems the Admin one has been left rather redundant...apart from an easy target for the lovely spammers of course.
| 9:35 pm on Nov 18, 2004 (gmt 0)|
Yes, of course, all very rosy. I see a few members taking a lot of time and trouble to emphasise that the new procedures are safe. Then I keep reading msg#63 (dmorison) and #85 (kapow) and thinking, "I'll reserve judgement". Maybe I'm cynical, maybe I'm street-smart, or maybe I'm paranoid ;) - we'll let time decide.
For the moment - LOCK all your domains (FWIW), have someone monitor your email if you are going to be away, take extra precautions because - as with anything new - they'll be some who try to exploit it. If your domain is important to you don't rely on other people (like registrars) always doing things correctly. They don't.
| 10:29 pm on Nov 18, 2004 (gmt 0)|
Macro, you are absolutely right. (Advice that follows is not directed at you, but is here for newbies. :)
If you do not use an accredited registrar, or use a "dodgy" registrar, or use a registrar who doesn't know what the heck they are doing, or who has a broken email system, or, in general: If you ELECT to use a crappy no-name registrar because they're offering $2.95 registrations, then you're in the "back alley", and who knows what kind of security precautions or regulations are being followed. Bad idea, even if it is cheap.
If you stay on the sunny side of the street, and use accredited, well-known, slightly more expensive registrars (Register.com offered regs at $17.50/year), then you know who you are dealing with, and you'll be fine.
You get what you pay for. Caveat emptor. etc.etc. Just pay for a decent service, for crying out loud! :)
| This 99 message thread spans 4 pages: < < 99 ( 1 2  4 ) > > |