Revisiting Domain Name Transfer Policies

I came across an old post at the Brian Alvey Weblog regarding the wrongful transfer by Dotster in January of the domain name of longtime ISP Panix, and this post at DomainsMagazine.com:

The panix.com domain was registered with Dotster. According to postings to the NANOG mailing list, Panix contacted Verisign which serves as the definitive registry for .com and .net domain names.
However, Verisign replied that there was little it could do to rectify the situation. "If necessary, Dotster (or Melbourne) is more than welcome to contact us to obtain the specific details as to when the notices were sent and other historical information about the transfer itself," a customer service representative replied to Panix.

One can only expect this sort of thing following the recent ICANN ruling that makes domain transfers all too easy without requiring absolute verification of intent by the current owners. That is, if a transfer is initiated and you don't respond within (as I recall) five days, the registrar must allow the transfer. What if the owner doesn't check email for a week?

Of course, one can only guess that ICANN settled on its ruling because the transfer of domain names from one registrar to another had sometimes been difficult — perhaps notoriously so, in some cases. Fair enough, but the solution to a problem shouldn't cause another problem. At the very least, ICANN should amend its rules to require verification of the domain name owner's intentions with respect to any transfer.

At the time of the ICANN ruling, some of our clients had domains registered with MelbourneIT. My experience when transferring a domain name away from MelbourneIT was that it already followed that type of scenario: you'd get an email stating that a transfer request had been made and that, if you approved the transfer, no action was required and the domain would be transferred to the new registrar within (as I recall) seven days or so. Wow. In my opinion, both MelbourneIT's procedure and ICANN's new ruling are an accident waiting to happen, and so I assisted my clients to transfer all domains registered at MelbourneIT to another registrar. At the very least, MelbourneIT too should amend its procedures to require verification of the domain name owner's intentions with respect to any transfer rather than simply assuming that no response means the owner approves. So should all registrars, if they don't already.

Concurrently, I (rather strenuously)(and more than once) queried GoDaddy as to their policy with regard to the ICANN ruling. As far as I could ascertain, GoDaddy had settled on treating "locked" domain registrations as a signal that the domain name owner did not intend the domain to be transferred. And, heck, all you have to do is to temporarily unlock a domain registered at GoDaddy and GoDaddy's email notification will fairly fly into your inbox.

In my view, domain locking is similar to the precautions taken by U.S. telephone companies to solve the problem of people pestering you by phone to switch phone providers and, regardless of your stated refusal, switching you to another provider. Called "slamming", some (or all?) U.S. telephone providers take the precaution of verifying by recorded telephone conversation that you do not want your telephone service changed without your express approval.

However, it appears that locking domains may not be the end of the problem:

It appears that panix.com had domain locks enabled and somehow the domain was moved without panix' permission from dotster, panix' domain registrar, to another registrar called MelbourneIT.


2 Comments to "Revisiting Domain Name Transfer Policies"

  1. Robert Mathews says:

    This post contains two inaccuracies that might unnecessarily frighten people.

    The first inaccuracy is the suggestion that ICANN rules do not "require verification of the domain name owner's intentions with respect to any transfer". This is simply false; ICANN's transfer policies require — and have always required — that the new ("gaining") registrar get affirmative approval for the transfer from the current domain name owner as a first step. It's not possible for a domain name to be transferred without this step (providing registrars follow the rules, of course).

    ICANN's new policy addresses whether the current ("losing") registrar can then send a SECOND message, with completely different transfer approval instructions, that you ALSO have to respond to. Many losing registrars were sending a second message that included different transfer approval instructions buried twenty paragraphs deep in marketing nonsense, and they then refused to let the transfer go through if the domain owner didn't read down to the instructions and jump through hoops a second time (and some of those hoops could be significant — one company required that a notarized letter be sent to Australia if you wanted to transfer your domain name to another company!). The end result was that it was difficult and annoying to transfer a domain name, and many perfectly legitimate transfers were failing.

    So the ICANN policy change prevents registrars from requiring a second, completely different and separate approval step; it didn't eliminate the first approval step. It is not possible for someone to steal your domain name if you simply ignore your mail for a week; if you ignore the first message from the gaining registrar, the transfer will never start.

    (Again, this is all assuming that registars follow the rules that have been in place for transfers since 2000; it turned out that Melbourne IT was not properly following them, which is what allowed the panix.com domain name to be hijacked.)

    The second misstatement here is that the panix.com domain name was locked. As later reported, it wasn't; the domain name had been mistakenly unlocked months earlier. Locked domain names cannot be transferred under any circumstances.

    Robert L Mathews, President, Tiger Technologies (ICANN accredited registrar)

  2. DianeV says:

    I appreciate your taking the time to respond, as well as to correct any inaccuracies in my post. If I can respond out of sequence:

    First, I had knowledge of at least one registrar who required the domain owner's response to a second, very confusing email, having seen these myself and having been forced to devote time to walking clients through the hoop-jumping; I'd guess that that factor alone has contributed much to the success of other registrars. In any case, I had assumed that that was the reason for ICANN's new ruling and, for that reason alone, was a good thing.

    However, my post was based on my own in-the-trenches experiences. It's good that prior "verification of the domain name owner's intentions" has been an ICANN requirement since 2000; however, in my experience, at least one registrar wasn't doing so. Last I looked, the domain owner got *one* email stating that a transfer had been initiated and, if it did not receive a response within a few days, the transfer would go through. To quote from that 2003 email:

    If you DO APPROVE do nothing and we will assume the request is valid. The domain will be transferred to your new registrar automatically 5-6 days after receiving this transmission.

    Please send this email to <snip>@inww.com and enter the following in the the Subject line of your email response
    "DO NOT APPROVE- domain name "
    NOTE: Please include your domain name in the domain name field

    (a) TO DECLINE a request to transfer this domain to another registrar you must have a VALID reason and this must clearly be noted in the body of the email. – THIS IS MANDATORY
    (b) You CANNOT DECLINE a request to transfer to another registrar if the domain has expired – This is NOT considered a Valid reason and the registrar may ignore your submission.
    (c) You MAY DECLINE a transfer if you consider it a fraudulent request which has not been confirmed or initiated by the
    actual registrant.

    Please respond to this email within 24-48 hours of this transmission if you do not approve so that we may proceed to inform the registry.

    [Emphasis in bold added.] Clearly, the only proactive steps required by the above are for declining the transfer. Now, I have no idea what kinds of problems this registrar may have faced for which the above is a good solution; however, I can't imagine that anyone would consider a few days' lack of response a proactive, validated response from a domain owner. With this scenario, one could easily return from an extended weekend to discover one's domain(s) transferred and a long (and possibly arduous and expensive) road necessitated for attempting to wrest back control while one's work in promoting a particular domain went down the drain.

    Robert, I am not much for "scaring the natives", as it were, but such things have happened, and I'll have to admit that one of those jittery natives was me. For us mere domain-buying mortals, the issue is an important one, given the above, ICANN's new ruling which would seem to ease the transfer from one registrar to another, and the difficulty I encountered in getting a clear yes or no answer to this question: "In the absence of a response from the domain owner, will you or will you not consider the fact that a domain is locked an indication that the domain owner does not approve a transfer?" And thus, my post.

    I apologize if, for your company and others, the ICANN rules were always followed.

Have your say ...

First-time comments will be held for moderation (but comments are appreciated). Otherwise, just be courteous. If your name is a bunch of keywords, your comment will be deleted. Don't post links unless highly pertinent. Posters must be 16 or older.

Manage your subscriptions

© 2004-2018 DianeV Web Design Studio. All Rights Reserved.
28 queries. 0.222 seconds.