Domain transfers are shocking
« previous entry | next entry »
19th Oct 2016 | 14:25
I have a bit of a bee in my bonnet about using domain names consistently as part of an organization's branding and communications. I don't much like the proliferation of special-purpose or short-term vanity domains.
They are particularly vexing when I am doing something security-sensitive. For example, domain name transfers. I'd like to be sure that someone is not trying to race with my transfer and steal the domain name, say.
Let's have a look at a practical example: transfering a domain from Gandi to Mythic Beasts.
(I like Gandi, but getting the University to pay their domain fees is a massive chore. So I'm moving to Mythic Beasts, who are local, friendly, accommodating, and able to invoice us.)
Edited to add: The following is more ranty and critical than is entirely fair. I should make it clear that both Mythic Beasts and Gandi are right at the top of my list of companies that it is good to work with.</p>This just happens to be an example where I get to see both ends of the transfer. In most cases I am transferring to or from someone else, so I don't get to see the whole process, and the technicalities are trivial compared to the human co-ordination!</p>
Return-Path: <email@example.com> Message-Id: <DIGITS.DATE-osrs-transfers-DIGITS@cron01.osrs.prod.tucows.net> From: "Transfer" <firstname.lastname@example.org> Subject: Transfer Request for EXAMPLE.ORG https://approve.domainadmin.com/transfer/?domain=EXAMPLE.ORG
A classic! Four different domain names, none of which identify either of our suppliers! But I know Mythic Beasts are an OpenSRS reseller, and OpenSRS is a Tucows service.
Let's see what
whois has to say about the others...
Domain Name: REGISTRARMAIL.NET Registrant Name: Domain Admin Registrant Organization: Yummynames.com Registrant Street: 96 Mowat Avenue Registrant City: Toronto Registrant Email: email@example.com
"Yummynames". Oh kaaaay.
Domain Name: YUMMYNAMES.COM Registrant Name: Domain Admin Registrant Organization: Tucows.com Co. Registrant Street: 96 Mowat Ave. Registrant City: Toronto Registrant Email: firstname.lastname@example.org
Well I suppose that's OK, but it's a bit of a rabbit hole.
$ dig +short mx registrarmail.net 10 mx.registrarmail.net.cust.a.hostedemail.com.
Even more generic than Fastmail's
infrastructure domain :-)
Domain Name: HOSTEDEMAIL.COM Registrant Name: Domain Admin Registrant Organization: Tucows Inc Registrant Street: 96 Mowat Ave. Registrant City: Toronto Registrant Email: email@example.com
The domain in the
ns-not-in-service.com is an odd
one. I have seen it in whois records before, in an obscure context.
When a domain needs to be cancelled, there can sometimes be glue
records inside the domain which also need to be cancelled. But they
can't be cancelled if other domains depend on those glue records. So,
the registrar renames the glue records into a place-holder domain,
allowing the original domain to be cancelled.
So it's weird to see one of these cancellation workaround placeholder domains used for customer communications.
Domain Name: NS-NOT-IN-SERVICE.COM Registrant Name: Tucows Inc. Registrant Organization: Tucows Inc. Registrant Street: 96 Mowat Ave Registrant City: Toronto Registrant Email: firstname.lastname@example.org
Tucows could do better at keeping their whois records consistent!
Domain Name: DOMAINADMIN.COM Registrant Name: Tucows.com Co. Tucows.com Co. Registrant Organization: Tucows.com Co. Registrant Street: 96 Mowat Ave Registrant City: Toronto Registrant Email: email@example.com
So good they named it twice!
Return-Path: <bounce+VERP@bounce.gandi.net> Message-ID: <DATE.DIGITS@brgbnd28.bi1.0x35.net> From: "<noreply"@domainnameverification.net Subject: [GANDI] IMPORTANT: Outbound transfer of EXAMPLE.ORG to another provider http://domainnameverification.net/transferout_foa/?fqdn=EXAMPLE.ORG
The syntactic anomaly in the
From: line is a nice touch.
domainnameverification.net belong to Gandi.
Registrant Name: NOC GANDI Registrant Organization: GANDI SAS Registrant Street: 63-65 Boulevard MASSENA Registrant City: Paris Registrant Email: firstname.lastname@example.org
Impressively consistent whois :-)
Return-Path: <email@example.com> Message-Id: <DIGITS.DATE-osrs-transfers-DIGITS@cron01.osrs.prod.tucows.net> From: "Transfers" <firstname.lastname@example.org> Subject: Domain EXAMPLE.ORG successfully transferred
OK, so this message has the reseller's branding, but the first one didn't?!
The web sites
To confirm a transfer, you have to paste an EPP authorization code into the old and new registrars' confirmation web sites.
The first site
https://approve.domainadmin.com/transfer/ has very
bare-bones OpenSRS branding. It's a bit of a pity they don't allow
resellers to add their own branding.
The second site
is unbranded; it isn't clear to me why it isn't part of Gandi's normal
web site and user interface. Also, it is plain HTTP without TLS!
What I would like from this kind of process is an impression that it is reassuringly simple - not involving loads of unexpected organizations and web sites, difficult to screw up by being inattentive. The actual experience is shambolic.
And remember that basically all Internet security rests on domain name ownership, and this is part of the process of maintaining that ownership.
Here endeth the rant.