Home / Blogs

ICANN Transfer Policy: Domain Hijacking Got Easier or Did It?

Don't miss a thing – sign up for CircleID Weekly Wrap newsletter delivered to your inbox once a week.

Slashdot recently ran a story about the upcoming changes to the ICANN rules governing domain transfers between registrars. A blog entry at Netcraft referenced by the story stated that:

...domain transfer requests will be automatically approved in five days unless they are explicitly denied by the account owner. This is a change from current procedure, in which a domain's ownership and nameservers remain unchanged if there is no response to a transfer request. This could mean trouble for domain owners who don't closely manage their records. Domains with incorrect e-mail addresses and outdated administrative contact information are at particular risk, as the domain's WHOIS database information will be used to inform domain owners of transfer requests. A non-response becomes the equivalent of answering "yes" to a transfer request, according to the ICANN policy change.

However, a closer look at the actual rules makes it clear that it is not as bad as the story makes it out to be. The registrars still have the right to deny transfers if the domain is in "lock" status (which is a free service from most registrars):

Upon denying a transfer request for any of the following reasons, the Registrar of Record must provide the Registered Name Holder and the potential Gaining Registrar with the reason for denial. The Registrar of Record may deny a transfer request only in the following specific instances:


7. A domain name was already in “lock status” provided that the Registrar provides a readily accessible and reasonable means for the Registered Name Holder to remove the lock status.

While the actual policy change is a bit worse than it was before, it is not as bad as people make it out to be. Just make sure to lock your domains!

By Yakov Shafranovich, Software Architect & Consultant. More blog posts from Yakov Shafranovich can also be read here.

Related topics: DNS, Domain Names, ICANN, Whois



Re: ICANN Transfer Policy: Domain Hijacking Got Easier or Did It? Jothan Frakes  –  Nov 11, 2004 3:23 PM PDT

This is going to play out in an interesting manner.

Although this was implemented to solve one problem (namely a situation where a registrant may be unable to transfer a domain away from their current registrar), it creates a new set of issues.

This new transfer policy has the potential to play out exactly way that long distance carrier slamming did in the 90's over the next few months.

The new ICANN Transfer policy, while streamlining one's ability to transfer names under one's own management to the registrar of their choice, does in fact create a more open opportunity for someone to transfer a name away from you.

Basically, the status-quo transfer policy is explicitly one where a transfer must be opted into, and works like this:
1] Transfer request made by gaining registrar via RRP/EPP the registry level.
2] IF a domain is on registrar-lock, the gaining registrar's RRP/EPP request is immediately denied at the registry level, STOP HERE.
3] IF the domain is not locked, the gaining Registrar's RRP/EPP Transfer request proceeds with the next step of the transfer request at the registry.  The domain is now in pending transfer status at the registry (the status is in place for 5 days), but no transfer has occurred.
4] The losing registrar has 5 days to ACK the transfer so that it can proceed.  At this point, most losing registrars notify their registrant is emailed by losing registrar notifying them of the transfer request and that they need to acknowledge that this is what they want.
5] Either a response of NO (NACK) or the absence of a response from losing registrar registrant within that 5 day period = Transfer Declined. STOP.
6] If the transfer request was explicitly acknowledged in some manner by the losing registrar, the transfer proceeds at the registry.
7] The gaining registrar becomes the registrar of record, and one year is added to the registration term.  FINIS

The new transfer policy is such that the first two conditions remain the same with regard to registrar-lock. 

The key difference is that a transfer must be explicitly declined within that 5 day period, or else the domain gets transferred away from your current registrar.

While it is a good scenario for those who have the best of intentions in transferring their own domain to the registrar of their own choice, the new policy creates opportunity for those with less altruistic intentions for your domain name to potentially take it from you.

I personally use over 80 Registrars' interfaces to manage a variety of domain names.  I have been frantically working to get all of my various names registrar-locked since this policy was approved. 

For the most part, there has been success, as most of the top registrars have interfaces in place to allow names to have their registrar lock status be controlled by the user, per name.  While these registrars may not add this registrar lock by default, a registrant can modify their settings themselves to their preference.

Many of the smaller registrars who either don't have an interface or lease their connection threads to (pool/drop) registrars simply may not have any form of management panels where a registrant may self manage this status.

It is not clear that names in these registrar's care are not exposed to potential rogue transfer requests.

The best and only protection one has against having a domain name transferred out from under them is to have their domains in registrar-lock status.

It is simple to check if a domain is on registrar-lock status by looking at the results of a registry whois for the name. 

The registry will identify that the name is on registrar-lock or not.

I have also found monitoring sites that watch domain names (i.e. DomainsBot, Godaddy, eNOM, Whois Source, more...)

I encourage domain holders who are not certain that they have their portfolios locked down to do so and validate their settings, just to have peace of mind.

I anticipate that we will be hearing of folks whose names are transferred away from them in the coming weeks, and I hope that it is not anyone in this readership.


Re: ICANN Transfer Policy: Domain Hijacking Got Easier or Did It? Michele Neylon  –  Nov 11, 2004 6:12 PM PDT

What I would be very concerned about is the likes of DROA. As things stand "companies" like them tend to prey on the not so technically literate clients. What will happen now? Will we see a situation where more of these scammers gain ground in the marketplace at the behest of our unsuspecting clients?
It is at times like this that I am extremely happy that ccTLDs like IE are fully managed.

Re: ICANN Transfer Policy: Domain Hijacking Got Easier or Did It? Jothan Frakes  –  Nov 19, 2004 5:05 PM PDT

Domain Adminstrators, Be alert!

I had the first opportunity to block an unauthorized transfer request on a domain name on 11/17 (exactly 5 days into this new policy).

An unauthorized transfer on a domain was initiated by BulkRegister.com (allegedly by a rogue member/reseller).

This new transfer policy is a completely subutopian in the way that the burden of responsibility has been shifted to the domain owner.

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Sponsored Topics

Promoted Posts

Now Is the Time for .eco

.eco launches globally at 16:00 UTC on April 25, 2017, when domains will be available on a first-come, first-serve basis. .eco is for businesses, non-profits and people committed to positive change for the planet. See list of registrars offering .eco more»

Boston Ivy Gets Competitive With Its TLDs, Offers Registrars New Wholesale Pricing

With a mission to make its top-level domains available to the broadest market possible, Boston Ivy has permanently reduced its registration, renewal and transfer prices for .Broker, .Forex, .Markets and .Trading. more»

Industry Updates – Sponsored Posts

5 Afilias Top Level Domains Now Licensed for Sale in China

Radix Announces Largest New gTLD Sale with Casino.Online

2016 Year in Review: The Trending Keywords in .COM and .NET Domain Registrations

Global Domain Name Registrations Reach 329.3 Million, 2.3 Million Growth in Last Quarter of 2016

A Look at How the New .SPACE TLD Has Performed Over the Past 2 Years

Neustar to be Acquired by Private Investment Group Led by Golden Gate Capital

Afilias Chairman Jonathan Robinson Wins ICANN's 2016 Leadership Award at ICANN 57

MarkMonitor Supports Brand Holders' Efforts Regarding .Feedback Registry

Don't Gamble With Your DNS

8 Tips to Find Your Perfect .COM Domain Name

Why .com is the Venture Capital Community's Power Player

Radix Launches Startup League at TechCrunch

Celebrating One Year of .online

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

LogicBoxes Launches the New Elite Reseller Program

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Effective Strategies to Build Your Reseller Channel (Webinar)

Radix Adds Dyn as a DNS Service Provider

Facilitating a Trusted Web Space for Financial Service Professionals

.STORE Grosses Over $1 Million Before the Close of Day 1