Whenever I get any domain name news that can potentially affect ALL domain name owners, I'll be sure to post it.
Some of you may or may not know by now, but the Internet Corporation for Assigned Names and Numbers (ICANN), the governing body charged with overseeing the Domain Name System, has formulated new domain name transfer policies that will take effect on November 12, 2004:
[icann.org...]
So what does this mean?
First, the good news: it makes domain name transfers simple and painless because you actually don't even HAVE to confirm it anymore!
All you have to do is go to the new registrar/reseller of your choice, follow their instructions on how to create an account with them (be it online for via fax), pay up, then the new registrar/reseller will notify your current one of the impending transfer.
Ideally, the new one will send an authorization email to the email address of the administrative contact based on the domain name's WHOIS record. Whoever has access to that email must either confirm or deny the request.
But here's the change: whether you receive it or not, the default result is that the registrar or reseller MUST release the domain name from their systems & transfer it to the new one.
Standard exceptions still apply, though:
1. Domain must still be paid. Better you do this at least 30 days before expiration. 2. Domain must not be "locked". 3. Domain must not be in any sort of dispute.
Assuming at least those 3 exceptions don't apply to your domain name, your transfer will push thru without a hitch. Barring any technical hiccups, of course. :)
Now, the bad news: just as it will become easier to move your domain name to your new registrar, it becomes easier for one total unknown stranger to do this without your consent.
So what must you do to prevent this from happening?
1. Contact your registrar or reseller and ask if they have a sort of locking feature that prevents domain transfers from taking place. Most if not all registrars provide this.
If they do, you must log inside your account and activate it yourself. A friend of mine, though, notified me she recently got an email from her domain registrar that they will turn on their locks for all domains on a certain date, so be sure to read any email from your current registrar or reseller regarding this.
2. If your domain name doesn't have this lock, check your domain name's WHOIS contact information (or internal info) & ensure the email address w/in is correct & only you has access to it. This is to ensure you receive the email and follow its instructions on how to deny the transfer.
3. Since ISPs sometimes block legitimate emails from reaching their recipients, be sure to "whitelist" them. If necessary, please contact your registrar or reseller and ask what is their specific email address that'll be sent to you requesting confirmation or denial of the transfer.
I'll keep you all posted as the date when the transfer policies takes effect looms near. Meanwhile, please be sure to inform as many people as you can about this to prepare for it.
Take care of your domain name/s!
[edited by: Brett_Tabke at 8:45 pm (utc) on Sep. 13, 2004]
[edit reason] fixed formating [/edit]
Domain status:
REGISTRAR-LOCK
Does this mean the domain is locked, or not?
My registrar's info is somewhat contradictory and un-informative.
Domain status:
REGISTRAR-LOCKDoes this mean the domain is locked, or not?
That's exactly what you DO want to see. You are safe.
Can someone recommend a reliable Registrar for .com AND .co.uk names, that provides a lock service? Feel free to send me a sticky-mail if you prefer.
I'm a bit confused as to what this means. Should I ask my registrar to change the lock status? Thanks.
Network Solutions you could transfer away domains without approvalthat's insane... are you sure about that? I remember MS "forgetting" one of their domains once, almost expiring... so this could happen to everybody and to every small or big corporation.
Status: PROTECTED
The same domains shows as Status: ACTIVE in an whois search using another whois tool/website like whois dot sc.
THE LAYPERSON'S OVERVIEW [icann.org]
The relevant blurb:
If you wish to transfer your domain name from one ICANN-accredited registrar to another, you may initiate the transfer process by contacting the registrar to which you wish to transfer the name. This registrar is required to confirm your intent to transfer your domain name using Initial Authorization for Registrar Transfer. If you do not respond or return Initial Authorization for Registrar Transfer, your transfer request will not be processed.
THE APPARENTLY CONFLICTING DOCUMENT [icann.org]
Note: The second document predates the first ... but it is of no consequence.
The relevant blurb:
Failure by the Registrar of Record to respond within five (5) calendar days to a notification from the Registry regarding a transfer request will result in a default "approval" of the transfer.
THE EXPLANATION
In document #1, we see that "If you do not respond or return Initial Authorization for Registrar Transfer, your transfer request will not be processed."
In document #2 it seems to be limited by the relevant blurb. But people ...
this is a two-part process! Yay! :)
In document #1, it says that YOU, as the Administrative Contact of Record must agree to the transfer by responding to an email sent to the Administrative Contact of Record.
Next, FOLLOWING RECEIPT OF AUTHORIZATION TO TRANSFER FROM YOU, document #2 says that if the Registrar of Record does not respond within 5 calendar days, then the transfer will go through, as the default action.
It's a bonus for us!
Now, your transfer won't be crapped on by the failure of your CURRENT registrar to acknowledge the email sent by your FUTURE registrar. Previously, a registrar could "forget" or "miss" an authorization request, and keep your domain. Now, in addition to your permission, which you have always needed to give for a transfer and will continue to need to do, if the registrar "misses" or "forgets" to respond to the transfer request, your transfer will go through just as you intended.
If YOU reply in the negative or don't respond to the initial Administrative Contact of Record email (because you initiated the transfer and then went on vacation or because it's a bogus request), you'll never get to the second step involving the current registrar, and the transfer will NOT go through.
If YOU reply in the positive, by clicking on the link to authorize the transfer, THEN it goes to the current registrar, and if they respond in the affirmative or do not respond at all within 5 calendar days, your request goes through per your instructions.
Do you really think that ICANN would make it easier to hijack a domain?
The automatic locking of all domains by NetSol and others is a move on their part to make it more difficult for us to move to a lower-priced registrar. Don't fall for it.
Get some sleep tonight, folks. :)
Domain locking is a very good thing, and I am very happy that many registrars are now doing this by default. Of course - it is in THEIR best financial interest to retain their customers, as well as helping their customers avoid fraudulent transfers.
Regretably Tedster, not always. You only need to be part of poor suffering group who have domain names with TotalNIC/PacNames to realise what a mess, they/we are in.
Despite multiple threats of legal action, pleas, letters and e-mails to them and ICANN, letters to State and Federal Fair Trading, none of these people can get these 'worms' to unlock their domains. It is an appalling situation in this day and age, and one which ICANN could fix in a heartbeat, but remain removed from.
If YOU reply in the positive, by clicking on the link to authorize the transfer, THEN it goes to the current registrar, and if they respond in the affirmative or do not respond at all within 5 calendar days, your request goes through per your instructions.
I see a little bit of spin here with the "your request goes through per your instruction". What if it's not my instructions?
Irrespective of what reply I send the current registrar if the registrar messes up and doesn't reply then I lose my domain!
if the registrar "misses" or "forgets" to respond to the transfer request
It's a bonus for us!
*Most* registrars will surely work well, surely almost all, but ... really all? Those back there in Absurdistan, too?
Will someone, please, confirm that I am just paranoid, and everything will be fine ...
Regards,
R.
The problem is not with locking your own ..the problem some are having is with registrars that sell locked by default ..and give no one the key ...
I stickied Kapow with a registrar and one of their reseller who are cheap , reliable and Iknow from personal experience their lock/unlock is your choice only and you can change it as many times as you want ..with just one click ...
inspite of my current problems with working around an attack ( heh heh ..starting to see just what it altered ..got to respect the coding abilities of the "hacker" even if it is a PITA ) ...and as a consequence ..I am not here much ...
Nevertheless any one who wants their url's is welcome to sticky me .. can't post their name ( TOS) ....I have no connection with them at all ( except that I use them ) ....and in 5 years they haven't put a foot wrong ...
And they communicate in clear , easy ,English ...( no confusion over what their lock panel says ) ...!
But in the case where I want to transfer a domain from another registrar to my main one, I go to the "other" registrar, and unlock the domain. I put in my transfer request, etc.
But what is to keep some other person from submitting a transfer request at the same time? Since the lock is a public record and since there are services that monitor the status of a domain, anyone could see that the lock has been removed, and then put in a transfer.
So how does that keep the domain from being stolen?
thank you.
IE ..you have already started the process so even if someone else sees the "lock" status change ( which is unlikely as the change of "lock" status will normally only be seen after the transfer has taken place ) ...
And two requests from two different addresses are enough to make even the dumbest registrar sit up and say "something smells" and get back to you ..not the other guy!
( remember ..you can spoof an email address ..but they reply to the real one ..thats how you can get so much crap about "a message you sent could not be delivered...yadda yadda" ..because some "zombie" which had your addy in it sent out a mail saying it was from you ..but you get the auto reply )
In spite of what it says on many sites ..about transfers taking upto 7 days yadda yadda ..
Unless the current registrar decides to get " difficult" about it ..tranfers go through in 24 to 48 hours ...some times less ..( the public record wont change until the transfer process is finished ..only then does it update ..unless you unlock and then go to sleep for a month ..in which case you get what you deserve )..
Hmmm looks like I need a new Registrar
===========================
Failure by the Registrar of Record to respond within five (5) calendar days to a notification from the Registry regarding a transfer request will result in a default "approval" of the transfer.
In the event that a Transfer Contact listed in the Whois has not confirmed their request to transfer with the Registrar of Record and the Registrar of Record has not explicitly denied the transfer request, the default action will be that the Registrar of Record must allow the transfer to proceed.
===========================
So, it is written as though if an email is sent to the "Transfer Contact" (bad wording surely? It should be "Registrar Email"?) and they don't reply, then they (your Registrar) have to release it.
It just means you don't have to have confirmation from the Registrar anymore...I guess that's useful for some. Thanks to "StupidScript" for pointing this out.
cheers,
Richard.
Why in the world would you want a "Registrar of Record" to block your transfer because they haven't responded in 5 days?
This change makes you NO LESS susceptible to domain name transfer fraud. You still have authorize the transfer yourself at the new registrar and if you don't approve it (of which there is NO time limit whatsoever) then the transfer will NOT take place and the current registrar of record will never receive the transfer request that they must respond (in 5 days) to either.
If you were comfortable with the protection of the old rules, then you are admitting that you find it acceptable for your current registrar to not approve domain transfers that you authorized... whether they be mistake or not. Your current registrar can't possibly know whether it was something you (or your client) WANTED to do or if it was because you (or your client) was TRICKED into doing.
The bottom line is that any GOOD registrar will STILL have 5 days to check whether or not they believe it was a fraud attempt. And any BAD registrar will no longer be able to hold onto your domain when you actually ARE trying to transfer it by just not responding to the transfer request. YOUR part of the whole process hasn't changed one bit.
Can't see anything at all bad about that.
A reply from the Administrative Contact email address containing the unique transaction ID MUST be received by the current Registrar of Record.
The current Registrar of Record may then authorize the transfer to the new Registrar of Record.
You will receive notifications of each transaction at the Administrative Contact email address.
In all cases, registrars are required to notify the central authority (ICANN and the DNS community) of each transaction. Failing to do this will result in the loss of the registrar's authority.
Current security mechanisms include (but are not limited to):
1) Your Account
You must log into your account with your registrar(s) to make changes to the domain contact information.
(No login = no changes. Some registrar's allow requests for changes to be sent from the Administrative Contact email address.)
All changes must be approved by a reply from the Administrative Contact email address including changes to the Administrative Contact email address itself.
(Can't collect that email address? Then there are more personal, direct means of requesting the changes, secured by more personal, direct methods.)
2) Your Email
People attempting to hijack your domain must have access to the Administrative Contact email address for collecting and replying to the authorization resuest. Sure they can spoof your address to send a transfer request to the registrar, but if they can't reply to the authorization with its unique transaction ID, the transfer will be denied.
If your Administrative Contact email account is not secure, that's beyond ICANN's scope.
Anecdotally, I have been prevented from transferring domains from more costly to less costly registrars in the past because of a failure by the registrar to authorize my request. It sometimes happened when I tried to transfer a domain close to the 30-day-before or 60-day-after the domain's expiration date. You put in your request, you respond to the email, nothing changes for a week, you request info from the registrar, they don't reply, soon, a month has passed and your domain is locked because it's so close to the expiration date. You're stuck paying the higher fee and the domain is stranded at the old registrar for 90 more days until you are allowed to attempt another transfer.
This new approach by ICANN gives us domain owners more control over our property, and frees us from an acknowledged bottleneck in the transfer process.
Transfering it by default is daft. This is enormously risky and the more it's explained the riskier it sounds because the explanations seem to focus on instances where I want the transfer but the registrar isn't playing ball.
The major issue with respect to the new regulations is that the transfer will happen by default if there is no reply within 5 days. So, if someone spoofs my email addy, that doesn't offer the slightest protection in hell if I've taken two days off work because the email will arrive on a Friday evening, I don't reply, so the registrar sits tight and when I return on Wednesday I've lost my domain because the 5 days have lapsed.
It's also risky if I don't happen to be on holiday. If someone spoofs my email addy, I get an email, I immediately reply to it and deny that I requested the transfer but the registrar screws up and doesn't send their reply within 5 days ...I lose my domain.
Sounds stupid to me. Does ICANN make any money when cases go to arbitration? Do WIPO et al have to pay ICANN a cut for every case they handle?
Yes, but if the registrar doesn't do anything for 5 days the domain is transfered. Is that incorrect?
As you've said (and welcome to WW, BTW):
Failure by the Registrar of Record to respond within five (5) calendar days to a notification from the Registry regarding a transfer request will result in a default "approval" of the transfer
Yes, you're incorrect...
>> And that is irrespective of what I have or haven't done.
No, it isn't. This 5 day larky only happens after the registrar has received an approval from you. Here's a breakdown of 2 scenario's:
===scenario 1===
1. email is sent to your admin address requesting authorisation for transfer.
2. you click the link and approve the transfer.
3. the registrar has 5 days...if they don't respond, then it automatically is approved.
===scenario 2===
1. email is sent to your admin address requesting authorisation for transfer.
2. you read the email but do nothing and delete it.
3. carry on, nothing changes!
-----
Does this make a bit more sense?
cheers,
Richard.
I'm a bit confused reading through this thread as to what the actual advice of steps to take is. Any clear advice apreciated.
Do we contact the person hosting the domain or the registrar (e.g. Nominet)
Also where is the best place to go to check the who is details to see if they are locked.
Thanks
