Home / Blogs

Domain Registry Locking Program: It Is There for a Reason, So Why Not Use It?

Elisa Cooper

It seems like every week, news of yet another high-profile domain hijacking occurs. Whether it's stolen credentials, SQL injection attacks, or even the work of disgruntled employees, the number of incidents has been on the rise.

At the beginning of last year, MarkMonitor participated in VeriSign's beta program to test server-level protections which were designed to mitigate the potential for unintended domain name changes, deletions and transfers. When VeriSign finally released their Registry Locking Program to all registrars, I expected to see the owners of highly trafficked sites flocking to this new offering.

However, after a review of the top 300 most highly trafficked sites, I was shocked to uncover that less than 10% of these valuable domains were protected using these newly available security measures.

So why aren't more companies protecting themselves?

Given the value of these highly trafficked domains, I cannot imagine that the additional fees associated with employing this level of service are the deterrent.

I can only imagine that either the offering hasn't been made widely available, or that confusion as to whether a domain is locked it to blame.

When it comes to domain locking, there is often quite a bit of confusion as to how to determine whether a domain is 1) "locked" within a portal, or 2) "locked" at the Registrar, or 3) "locked" at the Registry.

Only domains that have the following statuses are considered to be "locked" at the Registry, and cannot be modified using standard protocols.

  • client delete prohibited
  • client transfer prohibited
  • client update prohibited
  • server delete prohibited
  • server transfer prohibited
  • server update prohibited

For the owners of highly trafficked domains, I would strongly recommend adding this level of security to protect valuable domains. It is there for a reason, so why not use it?

By Elisa Cooper, SVP Marketing and Policy at Brandsight, Inc.
Follow CircleID on
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

Good Article Jothan Frakes  –  Feb 17, 2010 3:06 PM PDT

This is a good point, Elisa. 

Some registrars charge extra for the 'enhanced security' that flipping those three extra statuses on requires and have built in new products or services around the higher security that is available for a domain like this.

I am sure that 'so why not use it'? is a rhetorical question, but I'd reckon that adoption of these statuses is something that requires registrars to make programming changes or modify their existing systems. Many of the registrars have a 'set and forget' policy on such changes, or add in the upgrade as a feature when doing other enhancements, like adding TLDs.

JothanElisa isn't talking about "normal" locksVerisign introduced Michele Neylon  –  Feb 18, 2010 3:56 PM PDT

Jothan

Elisa isn't talking about "normal" locks
Verisign introduced a new locking service a couple of months ago, which is a totally different system. (See: http://www.icann.org/en/registries/rsep/ 2009005)
Registrars pay a premium per domain per month (it gets cheaper based on volume) to enable the lock on a per domain basis.
Obviously the registrant would have to pay that premium plus a markup from the registrar's end.
I've no idea how many registrars have actually signed up to offer the service nor how many have actually deployed it.

Regards

Michele

Actually, doesn't seem like such a mystery Christopher Parente  –  Feb 19, 2010 9:50 AM PDT

Thanks Michele for the added context, although the link doesn't work.

I haven't tracked this issue, but seems to me the answer to this question would be contained in any market research VeriSign did before introducing the new feature. Was consumer demand indicated? If not, it's no mystery that registrars aren't eager to incur a cost if they can't make the $ back from registrants. Nor may registrants be eager to pay extra to prevent mistakes being made.

Elisa — a question. You link in your piece to a TC article talking about a DNS Cache poisoning attack. Cache poisoning is possible due to a fundamental flaw in the DNS protocol. I don't see how any new locking service is going to prevent those types of attacks. Am I missing something?

Christopher - take the number out of Michele Neylon  –  Feb 19, 2010 9:53 AM PDT

Christopher - take the number out of the URL, go to the link and look for the document with that number.
It will make more sense :) Sorry - there was no way to link to the RSEP directly

Michele

I don't believe this paticular incident was cache poisoning Elisa Cooper  –  Feb 19, 2010 3:22 PM PDT

Christopher - I don't believe that this most recent attack was cache poisoning.

Please see link below:

http://economictimes.indiatimes.com/infotech/internet/TCS-falls-prey-to-cyber-attack/articleshow/5550038.cms

Thanks Christopher Parente  –  Feb 21, 2010 7:37 AM PDT

Thanks Elisa for the article. Doesn't sound like the author knows how the attack occurred:

Such denial of service could have been possible due to two-three reasons, the DNS server could have been attacked/ hacked or the cache was hijaked, taking advantage of some loopholes in the system. 

Do you know if Network Solutions responded in any way, after Tata pointed the finger at them?

To post comments, please login or create an account.

Related

Topics

New TLDs

Sponsored byAfilias

IP Addressing

Sponsored byAvenue4 LLC

Cybersecurity

Sponsored byVerisign

Domain Names

Sponsored byVerisign

DNS Security

Sponsored byAfilias