Home / Blogs

ICANN Transfer Policy: Domain Hijacking Got Easier or Did It?

Slashdot recently ran a story about the upcoming changes to the ICANN rules governing domain transfers between registrars. A blog entry at Netcraft referenced by the story stated that:

...domain transfer requests will be automatically approved in five days unless they are explicitly denied by the account owner. This is a change from current procedure, in which a domain's ownership and nameservers remain unchanged if there is no response to a transfer request. This could mean trouble for domain owners who don't closely manage their records. Domains with incorrect e-mail addresses and outdated administrative contact information are at particular risk, as the domain's WHOIS database information will be used to inform domain owners of transfer requests. A non-response becomes the equivalent of answering "yes" to a transfer request, according to the ICANN policy change.

However, a closer look at the actual rules makes it clear that it is not as bad as the story makes it out to be. The registrars still have the right to deny transfers if the domain is in "lock" status (which is a free service from most registrars):

Upon denying a transfer request for any of the following reasons, the Registrar of Record must provide the Registered Name Holder and the potential Gaining Registrar with the reason for denial. The Registrar of Record may deny a transfer request only in the following specific instances:


7. A domain name was already in “lock status” provided that the Registrar provides a readily accessible and reasonable means for the Registered Name Holder to remove the lock status.

While the actual policy change is a bit worse than it was before, it is not as bad as people make it out to be. Just make sure to lock your domains!

By Yakov Shafranovich, Software Architect & Consultant. More blog posts from Yakov Shafranovich can also be read here.

Related topics: DNS, Domain Names, ICANN, Whois

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:


Re: ICANN Transfer Policy: Domain Hijacking Got Easier or Did It? Jothan Frakes  –  Nov 11, 2004 2:23 PM PST

This is going to play out in an interesting manner.

Although this was implemented to solve one problem (namely a situation where a registrant may be unable to transfer a domain away from their current registrar), it creates a new set of issues.

This new transfer policy has the potential to play out exactly way that long distance carrier slamming did in the 90's over the next few months.

The new ICANN Transfer policy, while streamlining one's ability to transfer names under one's own management to the registrar of their choice, does in fact create a more open opportunity for someone to transfer a name away from you.

Basically, the status-quo transfer policy is explicitly one where a transfer must be opted into, and works like this:
1] Transfer request made by gaining registrar via RRP/EPP the registry level.
2] IF a domain is on registrar-lock, the gaining registrar's RRP/EPP request is immediately denied at the registry level, STOP HERE.
3] IF the domain is not locked, the gaining Registrar's RRP/EPP Transfer request proceeds with the next step of the transfer request at the registry.  The domain is now in pending transfer status at the registry (the status is in place for 5 days), but no transfer has occurred.
4] The losing registrar has 5 days to ACK the transfer so that it can proceed.  At this point, most losing registrars notify their registrant is emailed by losing registrar notifying them of the transfer request and that they need to acknowledge that this is what they want.
5] Either a response of NO (NACK) or the absence of a response from losing registrar registrant within that 5 day period = Transfer Declined. STOP.
6] If the transfer request was explicitly acknowledged in some manner by the losing registrar, the transfer proceeds at the registry.
7] The gaining registrar becomes the registrar of record, and one year is added to the registration term.  FINIS

The new transfer policy is such that the first two conditions remain the same with regard to registrar-lock. 

The key difference is that a transfer must be explicitly declined within that 5 day period, or else the domain gets transferred away from your current registrar.

While it is a good scenario for those who have the best of intentions in transferring their own domain to the registrar of their own choice, the new policy creates opportunity for those with less altruistic intentions for your domain name to potentially take it from you.

I personally use over 80 Registrars' interfaces to manage a variety of domain names.  I have been frantically working to get all of my various names registrar-locked since this policy was approved. 

For the most part, there has been success, as most of the top registrars have interfaces in place to allow names to have their registrar lock status be controlled by the user, per name.  While these registrars may not add this registrar lock by default, a registrant can modify their settings themselves to their preference.

Many of the smaller registrars who either don't have an interface or lease their connection threads to (pool/drop) registrars simply may not have any form of management panels where a registrant may self manage this status.

It is not clear that names in these registrar's care are not exposed to potential rogue transfer requests.

The best and only protection one has against having a domain name transferred out from under them is to have their domains in registrar-lock status.

It is simple to check if a domain is on registrar-lock status by looking at the results of a registry whois for the name. 

The registry will identify that the name is on registrar-lock or not.

I have also found monitoring sites that watch domain names (i.e. DomainsBot, Godaddy, eNOM, Whois Source, more...)

I encourage domain holders who are not certain that they have their portfolios locked down to do so and validate their settings, just to have peace of mind.

I anticipate that we will be hearing of folks whose names are transferred away from them in the coming weeks, and I hope that it is not anyone in this readership.


Re: ICANN Transfer Policy: Domain Hijacking Got Easier or Did It? Michele Neylon  –  Nov 11, 2004 5:12 PM PST

What I would be very concerned about is the likes of DROA. As things stand "companies" like them tend to prey on the not so technically literate clients. What will happen now? Will we see a situation where more of these scammers gain ground in the marketplace at the behest of our unsuspecting clients?
It is at times like this that I am extremely happy that ccTLDs like IE are fully managed.

Re: ICANN Transfer Policy: Domain Hijacking Got Easier or Did It? Jothan Frakes  –  Nov 19, 2004 4:05 PM PST

Domain Adminstrators, Be alert!

I had the first opportunity to block an unauthorized transfer request on a domain name on 11/17 (exactly 5 days into this new policy).

An unauthorized transfer on a domain was initiated by BulkRegister.com (allegedly by a rogue member/reseller).

This new transfer policy is a completely subutopian in the way that the burden of responsibility has been shifted to the domain owner.

To post comments, please login or create an account.

Related Blogs

Related News


Industry Updates – Sponsored Posts

ICANN's Registry Audits Begin Next Week. Are You Prepared?

IBCA Presentation to ICANN GAC on Protection of Geographic Names in New gTLDs

NSW Government Launches .sydney Domain

New .VOTE and .VOTO Domains Now Available

Help Ensure the Availability and Security of Your Enterprise DNS with Verisign Recursive DNS

Verisign Launches New Monthly Blog Series: Top 10 Keywords Registered in .COM and .NET

.LGBT Public Launch Begins Today

Verisign Celebrates .com's 30th Anniversary, Launches Domain Name Contest

New .LGBT Domain Sunrise Period Begins

Season's Greetings - 2014 End of Year Message from DotConnectAfrica

Minds + Machines in 2014 and 2015

DNW Podcast Interview with Antony Van Couvering

TLD Registry and Right of the Dot Establish a Domain Name Industry "Dream Team"

"Chinese Domaining Masterclass" to be Presented at NamesCon Las Vegas in January 2015

Domain Name .Africa Faces Hurdles - Q&A with Sophia Bekele

Join Paul Vixie & Robert Edmonds at the Upcoming Distinguished Speaker Series

LogicBoxes Announces Automation Solutions for ccTLD

TLD Registry Wins Best Marketing Award at China New gTLD Roadshow

Video Interviews from ICANN 51 in Los Angeles

Update on Minds + Machines' Top-Level Domain Launches

Sponsored Topics



Sponsored by
Minds + Machines

Top-Level Domains

Sponsored by
Minds + Machines

DNS Security

Sponsored by


Sponsored by