I recall a time when a company I had association with lost their main domains due to a failed renewal. In this case it was a long-term employee who left the company that had loads of company bills going to his card. He cancelled the card sometime after he left and the domains were not renewed. I’m not sure where the renewal failure emails were going but probably some unmonitored admin email box.
These were very important domains. Without them, this $1 billion+ company immediately lost all of its ability to generate revenue. It was quite shocking.
The problem was discovered when users started getting the registrar’s landing pages rather than the company website pages. It was fixed relatively quickly once identified but do to DNS propagation took about 48 hours for complete resolution. During the window unrecoverable revenue well into the hundreds of thousands was lost.
It seems to me that a domain renewal is always a risk, even with a highly reliable registrar. A good defense is to limit the renewals for important domains by registering them for as long as possible (10 years). Even then you have a weak spot because your credit card will be expired by then so you should back that up with a calendar reminder a few months prior to renewal to make sure everything is set.
> A good defense is to limit the renewals for important domains by registering them for as long as possible (10 years)
This is an interesting take. I prefer the opposite approach: choose the shortest possible registration window (1 year), and have a very clearly defined, properly-documented renewal process that multiple people at the company understand. It's unlikely that all of those people leave the company in a 1-year window, so the knowledge gets passed on reliably.
If a renewal happens only once every 10 years, then it seems very likely that the person responsible for it has moved on, knowledge around the process is lost, and at best the documentation is very out-of-date (but more likely it's missing).
My process is to have a shared calendar for these high-risk renewals. Top company officers should be on this calendar (CEO, CTO, and some engineering VPs). The calendar contains recurring events for domain and SSL cert renewals. These calendar events are set up for about 1-month before the actual renewal, and fire reminder emails at several intervals beforehand (in case people are away or on PTO).
While this statistically might be true, I believe that this is completely dependent on one's personality. Having extra chances to remedy a trouble (which, as can be seen from the article, may occur due to reasons completely out of hand) has notable benefits, such as eliminating such prolonged downtimes.
It is like having replacement toothpaste ready for your bathroom. It is such a nuisance to go out and buy it on the day it runs out, and more likely to have a day without if you do not keep replacements ready.
I personally found a period of 1-2 year to be the absolute worst. On the next cycle the man is gone because it's past the average tenure. The emails about it were lost or auto deleted. Any documentation or process is useless because the company or the supplier has changed.
To have a process be remembered, make it monthly or quarterly.
This is why it's important to use job scheduler software, admined by a NOC, to generate your own internal reminder emails set for a specific date and time in the future. The process of renewing a domain or buying anything that requires renewal should include a step to create the future reminder job.
This is vastly more powerful than you need to simply call a shell script which generates SMTP email to your email@example.com address, but can serve the purpose:
You can use this for all sorts of things like maintenance notifications, automated emails to a facilities group on N schedule to change air conditioning filters, whatever needs to occur on a specific recurring time schedule.
It's also important that these notifications are sent to an address that is permanently assigned to a role, e.g. firstname.lastname@example.org, rather than to any particular person, e.g. email@example.com. Steve might not be there the next time those domains come up for renewal.
The same rule applies to any email address that you use to purchase and renew domains and other critical services. If renewal emails are being sent to someone who doesn't work there anymore, something is very wrong.
The monthly process isn't necessarily to renew domains - it is to assess the situation to see if there are any that need renewing soon. Many months nothing will need doing, a couple of months per year something will need action.
Even as a small company we have a number of regular infrastructure reviews. Most of the time we just go through the review, find nothing has changed unexpectedly and no new ideas need bringing to the table, we sign off to say all looks well, and the prices takes very little time. Some of this is automated: scripts collate and report information for signoff and we humans verify the result and take actions as needed (in some cases the action needed is to update the script(s)). This may seem wasteful, but a couple of people spending a couple of hours total per month on such checks can save some nasty surprises in future.
Domain status checks is one of the things that gets reviewed.
We had this same argument about certificate expiration on a code signing project I worked on.
I maintained that having to remember to renew a cert every September was more likely to stick with someone than 18 months or two years. It also keeps your blacklist smaller because dead ones age off faster.
I don’t recall how it ended up but we added automated reminders every 30 days starting three months before expiry.
Probably late to this party but at my employer we have a contract with MarkMonitor under which domains are auto-renewed and then we are invoiced for the cost.
The advantage of this is that domain renewals are not broken by payment problems. Payment problems produce a failure state of "domain got renewed, the vendor is harassing us about an invoice"--which is much preferred to "domain did NOT get renewed, our site is down until we update our credit card." It also helps mitigate the "crucial employee departed" problem, since MarkMonitor won't just give up on an unpaid invoice... they will escalate if they don't get paid.
Of course as a matter of practice we always have multiple people with access to the dashboard, but if all those people got kidnapped at once, the domains would still renew.
I recognize that MarkMonitor is more expensive than Namecheap or GoDaddy or whoever, but I also bet that a lot of successful companies that are super reliant on their domains have never called for pricing. I don't work for a mega-corp; we're a nonprofit. And who knows, maybe other registrars may be willing to offer a similar payment structure.
(I'm not affiliated with MM in any way--just a happy customer.)
Personally, I'd rather have a corporate domain be renewed once per year and have a defined process for it (e.g. literally have a binder somewhere listing all the details, and put reviewing it on a checklist of other yearly legal and financial tasks) than have it be forgotten about for 10 years at a time.
I've set it up before to have 10y which is the max, and renew for 1 year every year. So the domain always has a lead time of 9-10 years but it is still renewed once a year for practice. for most domains thats like 100 bucks to lock it down for 10 years. You can also monitor the domain expiry in your monitoring system i.e. nagios or whatever you are using.
The problem with relying on auto-renew is that, sooner or later, your credit card will expire (or the employee who was in charge of the domain will be gone) and the renewal will fail. The account needs maintenance one way or another.
This is why -generally- there is a period after the domain expires in which it is locked and cannot be purchased by anyone other than the previous owner. Just in case someone tries to squat. There are a few registrars that do this. I've seen it (squatting) happen more to small businesses, because even if their site it showing the landing page they might not notice it until a month later and by then it has been released and squatted. Bigger companies with lots of traffic would usually get a notice from a customer or internal employee that the site is down. This is my experience at least.
Yeah, corporate attorneys and the legal system at large have never dealt with extortionists with your creativity before. I mean, doing it anonymously AND with a ticking time bomb element, only a true master villain could have thought of such a brilliant scheme!
Domain name dispute resolution policies would find in the company's favor pretty much immediately (due to their trademark rights, and your registration with bad-faith intent), so they'd get it back reasonably quickly one way or the other. :P
To be fair, unless you're a big company I'm pretty confident this could work. I don't know what police entity I'd have to turn to here in Belgium to complain about someone in the US running off with my startup's domain name. You'd need serious lawyers to go after this.
I know everyone thinks police are going to investigate and that I’m definitely going to prison, but the sad reality is they probably won’t and I’d probably never see a jail cell. They might look into it, maybe even setup a sting operation, but then in the end nothing might come of it anyway.
Trust me, I know of a ex-cofounder in a previous who company who took off and disappeared with $175k from the company bank account, and despite our best efforts at getting justice or the money back, no one really gave a fuck, and there wasn’t much we could do unless we wanted to get into very expensive legal battles using money we didn’t have, against a person that was hard to get a hold of and with no guarantee of getting our money back, at least anytime soon (years). It was much more practical to just cut the losses and move on, making sure we could do everything to prevent it from happening again by someone else.
And the truth is this is how it is for a lot of things, the successful cases you hear of are really just a small percent of the crimes. Just don’t pick a fight with someone who has the money and determination to hunt you down to the bitter end. Most people eventually give up. Unless you’re killing people or running drugs, there’s a lot of criminal arbitrage you can get away with due to how slow and how apathetic the law is.
Though I sometimes do think about the price I would have to pay if there was a reckoning.
The Chickenshit Club (that is, federal prosecutors in the last ten years) means that big company management can get away with white collar crime, paying other peoples’ money to make charges go away.
Workers or little people at big companies are still subject to prosecution for white collar crime. And apparently since criminal prosecutions are time consuming DOJ has decided to deprioritize them, so if you commit white collar crime for small dollar amounts you’re also likely to get away with it.
Just don’t pick a fight with someone who has the money and determination to hunt you down to the bitter end.
You're not making any sense. You started this entire thread by talking about how you'd hold this $billion+ company's domain ransom for tens of thousands of dollars per year, so your sad tale of woe about how you couldn't afford an attorney to chase down an embezzler is irrelevant.
The timing of this is an amazing coincidence — I recently “lost” my domain in the same way. I bought it originally on Namecheap but have since transferred all my domains into a singular Google Domains account. My main domain, where I have my personal site and all my important emails, disappeared without notice on Wednesday the 9th last week. No expiration notice sent, no information as to what had happened.
I contacted Google as soon as I noticed and hey have been alright to deal with. Fortunately I am a Gsuite customer. I had to pay a fee to renew and another fee to restore, which was over $100. It’s been in “restoration” mode, ie offline, for days now and I am unable to even touch the DNS records until it’s back. I’ve already lost a week of uptime with zero recourse. FWIW I use a .co domain, and my site was throwing (for 24hrs or so) a splash page saying the domain was suspended.
Eagerly awaiting for it to come back but I’m totally in the dark as to timing.
The domain did expire, though I was never made aware of the upcoming expiration. My assumption is that there was some glitch between Namecheap, Google, and the .co domain authority... but I still don’t know exactly how my domain expired so silently. All my other domains were purchased through Google, this one was transferred in.
It really was a massive headache. I have no idea how long it would have taken me to notice (site is my authoritative presence on the web, but is a static personal page — no marketing or sales) and my email is a light trickle of messages by design: bills, bank statements, close personal relationships. Fortunately my brother told me his wedding invite bounced a day after going offline so I could follow up relatively quickly.
I filed a ticket with Google and got first line support within an hour. They confirmed it was still in Googles system. Then I was assigned a Senior Specialist who called me on Monday to confirm ownership. It is now Wednesday and my DNS records are still inaccessible.
If I were you I would definitely set an independent annual reminder to check your domain status, just in case.
I have the opposite issue with namecheap. I have my domains on auto-renew, and every time they're about to be due for their renewal, namecheap sends me a scary email saying I don't have the funds to renew, and only the next day do they auto-renew my domain.
I had that happen with them, when I first finally decided to trust their system to save my credit card information and turned on autorenew. Support told me it was/is because I have a couple of dollar balance with them from years and years ago, back when something involved making a transfer payment to my balance with them and then executing against that balance.
If you have autorenew set, it first tries to draw against any existing positive balance you have directly with Namecheap. If/when that doesn't work, it then next tries your preferred payment method (e.g. your registered and designated preferred credit card).
I was told if I found a way to clear my couple of buck balance with Namecheap, I'd no longer get the warning email. The first attempt would be against my credit card, which would work, and I'd just get one success email (after preceding "upcoming" emails and all that).
I don't know whether this is correct. It's what I was told by support over chat, IIRC.
One of the reasons I use Namecheap is because I've had good experiences in this realm. I get domain renewal and WhoisGuard notices a month before, a week before and on the day of expiry itself. Namecheap then always keeps expired domains in a grace period status for about two weeks where I can still renew after expiration.
About a day before they're completely unavailable for renewal, I'll also get an email from CloudFlare saying the nameservers aren't pointing to CF anymore (I use CF for active and parked domains.)
>Namecheap then always keeps expired domains in a grace period status for about two weeks where I can still renew after expiration.
That is standard behaviour for a domain-registrar, when a domain expires. When a domain expires the previous owner can re-register it during the grace period, after that for an extra fee it can be renewed in the redemption-period.
Finally just before a domain is available for re-registration by an unrelated party it will land in the pending-delete state.
Just add onto this, the grace period is normally 10-20 days some registrar's leave the domain working during this time but some take it down. Then it goes into a "redemption period" for anywhere between 25 - 60 days. In the redemption period the registry tacks on a fee that is somewhere between $60 - $200 so the extra fee gets kicked up the chain.
Yeah, NameCheap is pretty flaky with the warning emails. I once had their WhoisGuard service expire (it was on a different renewal phase from the actual domain, for some reason), and I never received any warnings about the service expiring until they sent an email to notify me that the WHOIS records had been automatically updated.
I've since added a monthly calendar reminder to log in to all registrars and verify all services are still enabled and correctly configured with plenty of time left.
Wasn't Op complaining about Google DNS, not Namecheap? I've never had any notification issues with Namecheap after almost a decade of them managing most of my domains. If anything they over-communicate about expirations and auto-renewals. Auto-renew works well and even after an expiration it's usually easy and fast to get your domain back up.
I've used name.com for years and thankfully haven't had any of these issues.
Still domains are so cheap and these horror stories are so common that I realize this can happen with any registrar. There isn't enough publicity over issues like this for people to leave en-mass, so financially I can see this happening. I know one small registrar company and it's like 10 people and they write everything in Perl and run everything in Docker.
Fun thing about name.com. I suggested it to my girlfriend and it turns out they don't require e-mail validation. She mis-typed her e-mail address when she registered, and now she can't get into her account. Forgot password doesn't work because it tries to e-mail an address that doesn't exist. She tried to contact them several times but I don't think the support staff understood the situation.
I use Google services for all my domain-connected stuff via Gsuite; that includes Hangouts, Google Drive, Gmail, Google Docs, Google Contacts. On a whim I decided to transfer in the domain. I also use Google Domains, now, to register domains for no specific reason.
There are no features or perks that I know of that compelled me to choose one registrar over the other. It was just a random act.
Over-engineering is when you make something to be more robust than is necessary for it to work successfully. Evidently depending on the registrar actually failed here (just as it has for many in the past), and this will surely happen again in the future. I don't see how making your system robust to failures that actually come up is over-engineering. It sounds more like just plain old engineering. (And I honestly also fail to see what is productive about pressing on with this conversation.)
That's a horrible situation, and one I'd encourage everyone to try to avoid - register production critical domains with a company that provides live phone support and stick with tried and true TLDs.
Yeah, it may cost more, but this story just illustrates that you're staking your entire company on a $15/yr service, and you get what you pay for.
Even if you want to run your marketing/landing page/etc off a .io or other fancy tld, run your production stuff off a .com or country-level equivalent so your customers aren't left in the lurch if something like this happens.
Even the most reputable tried and true do not guarantee anything. They can and will kick you out on a whim.
You can still mitigate the risk though. Use multiple domains in all marketing materials from different tlds and different registrars. Use regional domains. Have alternative ways to communicate with your customers. It's all very basic stuff. Merely thinking about it gets you far. Most people don't even think about it and blindly rely on centralized services: domain registrars, dns providers, cdn providers, single hosting/cloud provider, etc.
Would you mind providing some details on this approach? Multiple domains in marketing materials sounds like it would create confusion among customers. Are you specifically referring to companies with an international presence? Thanks
In practice people don't think about or even look at URLs, that's why phishing works. They recognize sites based on logos and stylesheets and often go to places by googling the brand name and clicking on the first link. If you forward every domain to a primary domain at the DNS level, your pagerank probably won't be hurt by this practice.
to go a step further, adding out of band contact info is a big deal.
Forward firstname.lastname@example.org to email@example.com and give it out in the emergency support info for support contracts Add it to your status page as needed, (which should be running on someone else's service or mycompanynamestaus.com).
Customers that really need your service, like the ones who pay, will check the status page and can update the endpoint as needed.
Make sure your sip lines don't point to mycompanyname.com.
If you publish a client side app, use 2 domain names as endpoints, mycompanyname.com and mycompanyname.io. Have the app or service check for and fail over if one doesn't work.
Make sure paging and technician notification is handled by a system that won't be affected by this. (nothing more amazing then getting 200 pages AFTER you've spent 2 days recovering a total failure of a system. You just want to go to sleep but you have to wait for the email queue to drain since you can't turn your pager off.)
Either way, use 2 domain names, and set them to expire at 6 MO intervals. Buy the domain for 2 years (or more) and renew every year so you always have 1-2 year lead time to sort out issues.
The list above would probably cost about $200/year and a few extra hours but it keeps you from getting backed into a corner. Everything else in our infrastructures has fail overs, and limited blast radius for failures.
We tend to us domain registration as a single point of failure and one one even things about it.
Even if you pre-plan, how many of your customers will think some random e-mail from a totally different domain explaining the situation are not a Phishing attempt? (The percentage that don't .. are probably the percentage with the least security sense).
Perhaps, though, in this situation, the had 2/3 days to make people aware.
Also, if the call customer service and you validate it, then they are only offline for a couple hours not days. Also, you should have a status page or twitter or something out of band that you tell people about the day they sign up. You can update there.
EVERY production service with customers needs an out of band way to update. And you have to build and announce that before you need it.
Indeed, there's a reason large multi-nationals use companies like MarkMonitor as their Domain Register, even if they could get the same for $30/year, the potential loss in revenue and brand damage could be worth tens of thousands.
It is a much harder balancing act for a startup, finding a domain register who is reputable and responsive but not "overly" expensive. Even if your entire business relies on it, $1K+/year just may not be in the cards even knowing the risks.
I haven't used it but Google Domains claims they have telephone support and are reasonably priced. Might be worth people checking out, their Gsuite support has been pretty good.
You don't have to go all the way to $1k+/yr to get much more piece of mind. For well under $100/yr, EasyDNS offers fantastic support.
My go-to example of their customer service philosophy: A number of years ago, there was some problem in the electric grid that resulted in power outages over most of the Eastern US and Canada. In response to just their customer service being unavailable for 1 hr during the much longer outage (their production services were unaffected), they offered me a partial refund without me even knowing what had happened. I didn't take it.
Usual disclaimer: Not affiliated with them in any way other than as a satisfied customer for more than a decade.
Ditto. Very happy with EasyDNS these last 6 years. Had some wierd renewal issue 3 years ago similar to what the OP described but had someone on the phone immediately and the problem was resolved within the hour.
Paid gsuite has live 24/7 phone support. I've used 5-6 times over 8 years and gotten 5-star service every single time.
Haven't needed to call them in the past 18 mos. or so, however, and these things can change.
I have gripes about aspects of gsuite itself, in particular how they've removed a few features that I used from the $5/user/mo tier. Had to move to $10 tier to keep email content filtering (ability to use regex to prevent accidental SSN or CC inclusion). The filtering setup is much easier to use now, but the old system worked well enough.
>Paid gsuite has live 24/7 phone support. I've used 5-6 times over 8 years and gotten 5-star service every single time.
I've been a reseller for most of the decade and I can honestly say in all the times we've called, we have never had a single issue corrected by support. We usually end up having to find workarounds for bugs. The last time was an autosuspension our panel(s - there are two versions now) would not let us un-suspend the client. This left him without email for a week, while support would only respond during the early AM hours, and would repeatedly ask us to prove identity, even though we were registered resellers with admin panel access.
In all the years of working with different vendors, I honestly cannot think of a single one with a 0% success rate in their support.
Office 365 is pretty close to that, actually. You need Premier support to get anything useful.
My favorite O365 support story is where first level support dicked around so long with a missing mailbox that by the time they escalated the ticket, their backup had been overwritten. Luckily it was a user’s archive mailbox and we still had their source PSTs, so not a lot was lost.
> Office 365 is pretty close to that, actually. You need Premier support to get anything useful.
I haven't had too much experience with their service support, but their app support seemed decent. I was having an issue with S/MIME signatures not being parsed properly on Outlook iOS. Support chat seemed competent and knew what was happening (no support for S/MIME signatures yet).
Granted no one ever appears to use .io for it's original purpose as the ccTLD for the British Indian Ocean Territory...
ccTLD management is delegated to a company in that nation usually. Unfortunately not all of them are equally well managed - I wouldn't consider gTLDs _exactly_ comparable to ccTLDs in this regard. ccTLDs get to differ in pretty key ways from gTLDs, including deciding their own dispute resolution processes (gTLDs all use the UDRP).
I'm pretty sure you can find a DC at either AMS-IX or DE-CIX where the contract won't allow them to kick you out during the politically heated time (i.e. you should find somewhere with a 1y+ term), and iirc both exchanges have, due to their non-profit nature, no ability to kick you out unless your actions are actually illegal. So, unless you get shut down by a court of law (both host countries have them (well, almost, but compared to the US they are great)), you get sufficient bandwidth at those providers.
Ofc eyeball networks can blackhole you w.r.t. their customers, but that is a whole different hurdle compared to just refusing to do business on the basis of freedom of contract/freedom of association.
Sure it will cost you, about $6k/month for 100Gbits, not including hardware and rackspace. But if you are 'just' concerned with your static website staying online on the clearnet, this should be affordable (i.e., you should be able to host them from ram, and serve up to 600Gbit/s from a 1U AMD Epyc, for like $7k in hardware, not counting the ram (15$/GiB of content you want to host, with a minimum of 32GiB, up to 512GiB getting a discount, and up to 2TiB being possible)).
Don't depend critically on companies risking political alignment with you, if what you do has any significant risk due to political association.
All I'm saying is that their own analogy is alarmingly lacking in self awareness, not commenting on what I believe.
Frankly though, this is blown way out of proportion. Plenty of people will do business with them. The Daily Stormer is just the ultimate martyr. They have mastered the art of doing one thing and saying another. They absolutely incite violence and hate, but they're careful to also simultaneously distance themselves from it and play the victim when they wonder why no big company really wants to do business with them. There's a reason why 4chan never really had this issue despite similarly controversial content and the answer isn't just "politics."
No, in my opinion, the real problem is that The Daily Stormer as an entity, is an Asshole. And just like they would in real life, they're being kicked out. Nobody has really made a compelling case otherwise, everyone seems more concerned that big companies actually made a non-nuetral decision (something I wish they'd do more often in the era of fake news and large scale abuse, an era they facilitated...)
I see no slippery slope here. There's a balance to be had.
Given how quickly people are to falsely group people (e.g. Ben Shapiro and Prager being called Alt-Right), I see a huge slippery slope. There really is no balance to be had since balance requires nuance which doesn’t seem to scale, ask YouTube.
Network Solutions is an utter joke. I had them develop a website and the website was finished with web best practices from 15 years prior. Messy code, zero responsive design. Photoshop used to the max. Then the same website hosted with them was mysteriously "hacked" and disappeared. They had zero backups and continued charging to host the website they lost. Absolutely zero recourse for their incompetence. STAY AWAY
I used Network Solutions when they were the only game in town. Switched to Register in the late 90s. Just stuck with them because I didn't have any issues.
In the last 5-10 years the issues started growing. Finally, I hit a wall and transferred everything off their service.
I now get spam emails of them trying to trick me into switching my domains back. The vitriol their helpdesk people receive is about as shitty as I get. Maybe they don't deserve it in their role, but hopefully the angry emails will get them to find a better job asap.
I had some fun with NameCheap and the xyz tlds.
Turns out, CentralNic (who actually runs the zones) was not doing proper validation on the glue records, and not removing old ones. NameCheap was sending CentralNic cached records, and managed to foobar my domain glues.
I bypassed NameCheap, because I knew they weren't the ones actually maintaining the records (registrars are just middle-men.) Using the DNS contact in the SOA, I got a response within 12 hours, and it was fully resolved within 24 hours (minus propagation.)
CentralNic contacted NameCheap, as did I, and they got their system fixed within the week.
I use Namecheap and I generally like them. However I was having a repeat issue for several months using them for DNS with DNSSEC enabled. Basically, validation would fail because they'd let their records expire and "forget" to resign them. I'd notice my domains failing to resolve, and had to manually create a new record and delete it to force all my records to be resigned. Support seemed clueless, and I stumbled across this workaround by accident.
I opened multiple support tickets with them, and each time the issue would re-appear in 1-3 months. Went on for probably a year or so and I was just about to move to a different DNS provider when it stopped happening.
My complaint is Namecheap bundles useless junk services with the domain for free the first year even though I never asked for them. Then come the second year, they charge you for it without sending any notifications about renewing those services as well. I have had this happen to me and it is really annoying since I had to argue with their support for a few days to get a refund
My registrar suspended my domain because an abusive user was using a subdomain for phishing. They told me they can't inform me first of abuse so I can deal with it; they'll suspend the domain immediately.
Who's a good registrar that will contact me first if they get an abuse report?
The problem was the phishing, not the subdomain. If your app allows users to run phishing operations, moving the content from user.foo.com to www.foo.com/user probably won't help much in parent's scenario.
No. The problem is the subdomain. Allowing people to phish on a subdomain is lending the phisher the credibility of legitimate websites hosted on the domain. It’s like lending a thief your uniform so that he can disguise himself as an employee. You’re an accomplice when he uses it to steal.
> How is abuse reported? Can I be made aware of reports of abuse before the domain is suspended?
And support responded:
> Abuse reports can be submitted to our Abuse Team via email using firstname.lastname@example.org where reports are analyzed and investigated further. Warnings are not given out, however, unless the reporter also reached out to the registrant of the domain in question. If a domain has been found to be in violation of our terms of service, the necessary actions are taken.
I've been happy with EasyDNS for more than a decade. They charge a bit more but treat customers well and in the few instances where I've contacted support, they've been great. I know there's a lot of cheaper registrars, but $1/wk doesn't seem like a lot to me to never worry about this stuff.
I work for a domain registrar, albeit not the one mentioned in the article.
Obviously, we see a lot of expired domains on a daily basis, mainly because customer's forget to renew despite us reminding them repeatedly during the three months before the domains expire.
1) Make sure there is more than one single contact person for invoicing. All too often, the problem is that a single employee is unavailable for some reason and that the rest of the business have no idea that the domain needs to be renewed.
2) Keep the contact details valid and up-to-date. This should be a no-brainer but a surprisingly large amount of businesses have domains registered to single employees, or with invalid contact emails.
3) Don't wait until the domains expire; renew the domains for at least one additional year. It will give you a whole year to fix stuff if you forget a reminder. EDIT: Or if the registrar screws up like in this case.
4) Automatic renewals is your friend. It's a last line of defense if all else fails.
5) Make sure you have a process for handling all of the above, even if you're a one-man business. Domain names are often critical for the business, and it's ridiculous to let the entire business rely upon a reminder sent 90 days before expiry.
Back in the late 90's before it was Verisign (I can't recall the name), my domain registration could only be changed with an email from my domain. Of course I didn't have my domain up since I switched ISP and had to move my DNS and mail server. Catch 22; what a cluster fuck. Weeks of phone calls with no resolutions.
I was going to Virginia anyway, so I physically showed up at Verisign (I wanted to bring a baseball bat), and explained it to the lady at the front desk. She came back with an engineer who fixed it in 5 minutes.
As a side note, had to do something similar with Garmin. They kept sending me GPS units with horizontal LCD polarization, when vertical is the standard for sun glasses. Showed up and told the clerk to put on my sunglasses and turn her head sideways to her LCD monitor. "Oh yeah, I see". She fetched an engineer, and 1 week later had a GPS with correct polarization.
Sometimes it takes a physical presence; baseball bat optional.
> before it was Verisign (I can't recall the name)
> so I physically showed up at Verisign (I wanted to bring a baseball bat)
Did you think to write a simple postal letter to them (say a VP or the CEO) rather than get angry enough to show up with a bat? Or send Fedex? Sure you shouldn't have to do that but from a practical angle it may have paid to do that.
Also more generally, once upon a time a GPS (Formally GPS Receiver) was a device the size of say, a multimeter, with a big battery pack, a simple monochrome unlit LCD panel display, and a radio (later, more expensive units had several radios). The device is doing fancy mathematics, and just receiving GPS signals, even the metadata about where to look for GPS satellites in the sky is available, very slowly, over GPS. It has no other source of data.
So you'd buy one or turn it on after uncrating it in a foreign country, and it'd literally spend ten or fifteen minutes calibrating, figuring out what the time is, what satellites are on what frequencies and which are above the horizon before it could at last discern your position. This was amazing if you genuinely didn't know where you were e.g. "Hmm, a desert". But you'd never have used one to go shopping - it took far too long.
Today your phone has a GPS with lots of radios (so it can listen to every satellite at the same time) it always knows the rough time,and it uses the Internet to get public shared data rather than wait to receive it slowly from GPS.
If you hold up two polarized sheets and rotate them, they'll get progressively darker until no light passes through when they are perpendicularly aligned. YouTube should have some videos, it was a pretty entertaining physics lab experiment.
Don't use *.io anyway. The domains are being sold under a very morally dubious arrangement, given the UK kicked all the people off the island of Chagos and gave the domain registration to a private entity.
Something that scares me regarding domain names is their variable cost. I purchased a .sexy domain for a joke website and its price got raised by +70% less than one year after that, making the joke a lot less appealing. There’s no guarantee that when you purchase a domain name it reasonably stays around that price for years.
Build a business on a domain -> the name increase by XX% -> you’re screwed and must pay.
.sexy is about 60-100$ per year. If you've build a business on it, paying double the amount should not hurt.
For me the most important thing about this new gTLDs is more about reputation of the gTLD registry. What if these go out of service? I'm pretty sure that there exist a protocol for that case, but I'm also sure that domains in a less popular new gTLD space might get far less protection from ICANN than any non-sponsored gTLD.
Sure, I hear you. If it's a registrar, it's okay, simply change it.
For a registry, I believe that they would risk their mass market business cases, but I'm also very sceptical about those ngTLDs for that reason.
ccTLDs can have similar issues to the new gTLDs - the administration of those is contracted out by ICANN too, usually to a State level body of some kind. The quality of these varies hugely as well. This is also why countries with desirable ccTLDs like .tv (Tuvalu) abuse their position by charging more for their TLD.
.io as used in this example was a ccTLD, and this issue was directly caused by its mismanagement.
This is one of the potential drawbacks of using ccTLDs like .io - individual nations are afforded much more control in the administration and dispute resolution process than gTLDs. Unfortunately some are run more poorly than others, which is why in this case the support agent states:
"Unlike common domain names [gTLDs] like .com or .nets. .IO's are managed by a specific organization, that manages only .IO domain names..."
.IO of course being the ccTLD for the British Indian Ocean Territory, run by these chaps: http://www.icb.co.uk/
At any rate, it's worth bearing in mind that ccTLDs are not administered the same way as a gTLD, and weird issues like this that are a pain to resolve can happen.
And every couple of years someone finds this out the hard way and goes on a big rant like this one. Particularly with the .IO ccTLD. Or .LY.
It tells me that the person running the business isn't very good at estimating the business risk of the technology they're using. That's when I start hoping I'm not a customer of theirs and invariably find out that I'm not. Phew.
Do not rely on other people to resolve time-sensitive issues when you can easily avoid it.
In this particular case as soon as it's clear the domain hasn't renewed despite being billed then manually renew it using the usual user interface, pay the extra $10 and then contact support after to get one of the charges refunded now the time-sensitivity is gone.
The stress alone isn't worth being out of pocket $10 let alone only for a week or two.
I believe that's true, I think the point stands though, when you realize a shit storm is coming, that's the right time to open your umbrella. Waiting until you've been out of business for three days is a little late.
I probably wouldn't stick around as a customer, not because they got screwed here but because they stood there with their hands on their head and watched the train wreck. That's the difference between amateurs and pros (and the pros learned this the hard way)
I create websites for small businesses. I've seen almost every conceivable domain renewal failure in my 20 years of experience. No matter how many times we remind clients to get this aspect of their business documented we still have sites go down every year. We charge a fee to "manage" domains for those who opt-in, solely for this reason (and it's worth it).
The most common reasons:
Bad contact email
Auto renew off
The more obscure:
Bought domain through a reseller who is now out of business (more common than you think)
"Branded" contact email which post expiration, no longer works.
Disgruntled "losing" webmaster who registered domain under his/her account and is now holding it hostage.
We spend lot of time thinking about making our services resilient against failure at the infrastructure level yet the domain registrar is often overlooked.
Not only do you have to worry about them making a technical mistake there is also the risk of a phishing attack.
A while back I did a bit of research about what was the most reliable registrar and the only one that i could find was Markmonitor. Most of the big sites (google.com facebook.com etc) use them. They offer lots of cool features that i had never heard of like registrar level locking and custom 'protocols' (like a phonecall from X no. of authorised people) to validate a change. Plus some others that seemed less interesting (to me) such as the brand protection.
They do of course charge a pretty penny. From memory there was a minimum cost of $30k per year which allowed you pretty much as many domains as you might want and the promise of being able to get ahold of a human if something goes wrong.
I recommend using easydns.com as the registrar and DNS service. Their email helpdesk is fast: <30 minutes. They answer the phone immediately and they are knowledgeable. Phone support is during business hours, but the more expensive packages have 24hour support.
And yeah, you need to have a lot of faith to use .io or other new TLDs which are serviced by new companies.
I generally avoid metered services where cheap unmetered alternatives are available.
First of all, 5 million DNS requests sounds like very little. It probably isn't due to caching, but it's hard for me to judge what I need/whether that's enough.
Second, what happens when someone who doesn't like me decides to make 5 million DNS requests? 5 million packets sounds like something a decent connection might be able to fire out in a few seconds. If I pick their highest plan, will a person that has a grudge and a fast link capable of IP spoofing cost me $2/second (theoretically $5M/month, although I'm sure they'd show some mercy at that point)?
DNS results typically get cached for at least a few minutes, and most users use ISP or public DNS servers (eg, Google, CloudFlare, etc) which only do the lookup once for many users, so your authoritative DNS server will see only a fraction of the number of web requests you actually handle. I'd guess for most sites this is probably below 1% in terms of requests per second.
I had a related issue where a previous registrar — who we had moved away from months before — managed to accidentally "claw back" and disable our domain due to a misconfigured billing script. The fragility of the whole ecosystem is pretty scary.
Yes well. Don't use .io domains for anything serious.
I had one of the 20 largest .io domains for a time, until they shut us down because they received one complaint in 3 years. It took them 2 days after we resolved the matter to put the domain back online as well.
By that time I had already migrated to .org - which is run by a considerably more professional non-profit organization.
I worked at a domain registrar for over ten years. Every day I would have to deal with a call from some irate customer who's business was down because they forgot to renew the domain. This was after we would send them emails, starting a month before the renewal was due and then more frequently the closer they got to the renewal date. Many times they wouldn't even notice until the domain had passed the grace period, fully expired and been snatched up by some scalper and replaced with adverts.
Then they would be on the phone claiming to be losing thousands of pounds for every minute the website was offline and how it needed to be resolved right now or they would be sending in their lawyers.
If your business resolves around having a functional website, make sure you have a solid domain renewal plan in place and are hosting with a trustworthy registrar.
Domain registrar and DNS for a company are too critical and fragile to go cheap on.
For personal, hobby, one-off marketing domains; sure go cheap.
But for something you earn money from? Go with highy recommended providers. Registrars with a secure administration, good track record of customer service, high reliability, etc.
Also spread the risk around. Don't have domain, DNS, and services with one provider. E.g. register domain with Gandhi, Hover etc, use DNS from Cloudflare, Route56, etc, and host with GCP, Heroku etc (for example).
And use several providers if you have multiple domains in case one implodes. That way not all of your domains disappears overnight.
And as many have mentioned already on this topic: Have well documented, well practised renewal processes, and renew for multiple years if possible.
> And use several providers if you have multiple domains in case one implodes.
I'd add only on refinement: if possible, use domains with different top-level (national) authorities.
Sadly, this kind of operational wisdom is rapidly being lost by the emphasis on hiring "DevOps" engineers, with most of the emphasis on the "Dev" part, since they're often just coders against cloud APIs, with much less value placed on traditional sysadmin (or what ended up being called operations engineering during and after the dot-com boom) experience.
Now, of course, that makes sense not to hire a full-time 100% sysadmin if what you (think you) need is a 5% (or less) sysadmin. Also, most startups, and probably even larger businesses, are going to be easily lulled into complacency by the uptime records of the larger vendors (or really just AWS), when following the best practices for technical reliability. "Infrastructure as code" is supposed to alleviate the human/administrative risk, and I'm actually convinced that it does to a very large degree (just at a huge cost in markup/profit for Amazon for that infrastructure).
If this service was some run of the mill e-commerce or SaaS I wouldn't have this reaction, but being a critical monitoring service that was down for days, this reflects very poorly on them. My reaction is that I'd never use uptimechecker.io. Quite honestly I am baffled why they'd even want to write this post for others unaware of their company and the outage to discover. It does not reflect well on them, despite spinning it and rightly blaming domain.com.
Just use a respected and well known registrar such as Amazon Route 53 domains. This could have all been avoided. I know the blame "should" fall on domain.com, but ultimately startups are responsible for their service.
For a very long time, DNS simply has not been an identified risk for most corporations. In the risk analysis they make, DNS is not on the map at all, even though it may be a single point of complete collapse for them. Thus we see extremely large corporations depending on a single DNS provider, using a registrar that are more interested in profit rather than resilience against attacks, no DNSSEC. Etc etc. This is slowly changing. What is. Not changing fast enough is the ability to run more than one DNS provider, giving you yet another spof.
The whole domain registration system is a very complex and messy area to work with, both from a development as an enduser perspective. I speak from experience working at a hosting company implementing domain registrations directly with the registry systems.
It's a incomprehensible mishmash of tld's implementing different methods of registering, renewing, restoring, domains. Some require ID verification before registrations, some have a quarantine of 1 week, other of 4 weeks, some no quarantine. Some domains need to be renewed before expiry, some can still be used 2 weeks after expiry, some domains allow transfers and trades, others don't or do under strict circumstances. Some require transfer codes, others don't. Some transfer codes are valid for 1 week, some are valid for longer.
There is no decent standarization on the technical level when it comes to managing domain registrations. There is the EPP protocol but almost none of the registries implement a standardized way of registering domains each implementing a mess of extensions to suit their bureaucratic needs.
ICANN introducing over 1.2k new gTLD's some time ago also didn't help along with the introcution of domains containing non standard latin characters and the puny-code implementation there (eg: café.com is actually listed as xn--caf-dma.com)
I'm not trying to defend domain.com who obviously failed to deliver on the basics of decent support, but things like this (issues between domain vendor and registry) happen more than most of us like to admit.
This is an interesting discussion, as I’ve recently run into problems with transferring a domain from domain.com to google domains.
I’ve heard good things about google domains in the past and the price seemed right (never had a problem with domain.com, but they charge separately for domain privacy) and now I’m stuck in Vonnegut-like situation. They locked my account because apparently the record that was transferred in doesn’t exactly match my uploaded govt ID. I can’t/won’t change my legal name, and the account is locked so I can’t fix the record. The phone support was sympathetic but said I had to go through email, which I’m pretty sure is an AI. This has been going on for a month now, and I’m pretty sure I’m never going to get this resolved.
I haven’t seen any discussion or experiences people have with AWS route 53. Is that a valid option? Seems reasonable and has privacy included.
This wasn’t a technical problem with the domain. The DNS changed because op’s registrar failed to renew the domain. The website was working intermittently because of propagation, not a server issue.
Problems like this are why registrars renew domains a month before they expire. The way to avoid these issues is to check to see if your domain renews on time. If your registrar fails to renew it, you have ample time to transfer it to another registrar.
I used a free domain coupon from domain.com a few years ago, and was spammed with both snail mail and robocalls (advertising services for the domain) for months afterwards. I don't know whether they're selling customer data or what, but it left me with a very negative image of their company.
> I don't know whether they're selling customer data or what, but it left me with a very negative image of their company.
Whois is public and has always been as required by ICANN. If you don't understand how things work then be fair and don't blame what you think is the obvious cause or reason. There are valid reasons for whois being public and all registrars have this in their agreement and it is widely known.
On my previous job we had to manage thousands of customer domains, including annual renewal.
This was very tedious task, so I wrote a Perl script, scraping WHOIS and DNS data for all domains listed on our DNS servers. Based on this data every domain was assigned a status, such as "Ok", "misconfigured", "about to expire", "points to foreign DNS server" or "points to foreign Web server". This script was scheduled to run every other day and sent CSV report (full and diff from previous run) to a person responsible for domain renewal.
Needless to say, our support specialists were very happy with this improvement.
Mistakes and glitches happen. Op should have noticed their domain did not renew a month before it expired, not just before.
DNS and domain propagation are slow turning ships. If a problem occurs, you sometimes need days to straighten out the problems.
> I tried to set nameservers to correct values, but Control panel returned error: uptimechekcer.io is not managed here!
They misspelled their own domain in this article. It seems their problem is a lack of attention to detail.
The complaint about charging for domain registration is nonsense. Domain registrations are non-refundable. If a registrar ever registered domains for customers before payment, they’d quickly find themselves out of business. Payment is always up front across the industry.
Big domain registrars operates usually on such a low profit margins that a single support ticket cost more than that customer will ever create in revenue. This create a very clear incentive models to focus on growth and keeping support costs down.
I work at a smaller registrar and we usually close (resolve) tickets within minutes and as a policy under the hour. We depend on word of mouth and contacts for sale, so we kind of have the opposite incentive model. I may be biased but I recommend avoiding the race to the bottom registrars for business critical domains.
A lot of domain registrars seem to go for the "pile it high, sell it cheap" business model. I think as with any other commodity that a tech business (or any business!) needs to run, you pick your suppliers carefully.
In the UK, I wouldn't touch 123Reg with a stick because I know their support is terrible. I would however use Gandi or AWS as I know their support is decent.
I recall UnitedDomains (German provider) who wanted me in 2016 to fax the request to update the contact information. Fax it.
Times are mature for the equivalent of Letsencrypt for registering domains, something like Letsregistrar.
We need to have this inefficient industry wiped away since it's really too much manual and too much in the way.
If somebody wants to found a noprofit to create a free registrar, I'm 100% in.
United Domains rely on manual things very for a large part of domain related service processes which are "uncommon" for a private or small domain owner.
> If somebody wants to found a noprofit to create a free registrar, I'm 100% in.
For the German market I remember the good old times with InternetX before they were bought by United Internet. Had some good talks with their tech support back then.
A "free" registrar is maybe not the right solution. The key is "care" for your domain. Take your example of "letsencrypt". They exist because they automate everything. They don't "care" if your certificate causes troubles, they'd just fix their API. With domain registrars the story is different: You need a good support to prevent fraud, you need a good contact to registries if something goes wrong. Key learning here is: In 99% of the cases with domains, everything is fine. But if you find yourself in the 1% where trouble occurs, you need immediate support of competent people. Not sure if this is a case for a "community" or "free" registrar. More a business case for MarkMonitor without the Brand Protection: Simply a domain registrar who cares.
I don't know if this is a culture thing or personal style, but the author keeps emphasizing that the story is true. To me, that reduces credibility since I've often heard false stories whose narrators reiterated their truthfulness unexpectedly when I wasn't doubting them. Not very reliable logic, I know, but it's a small warning bell.
I always wonder how people care about "good prices" if they choose a registrar. Quite often the domain name is the most valuable asset of your company. As long as you are not a domain squatter you shouldn't care about if you pay $10 or $1000 per year. And if possible register the name for the next 10 years in advance.
None of the .ly domain registrars have auto-renew. They have an option to send you a yearly invoice and a link to login, which they call "auto-renew", but it doesn't actually take the all-important step of renewing. Lost a great domain because of that.
Yes I've heard of domain.com . In fact, we even used it for one of our products. We tried to purchase wildcard ssl via their control panel - the result was a delay from our go live schedule by as much as more than a week. It was the most horrible control panel I've ever used honestly. Feels like bug from the alpha release candidate V1 bugs list. there's this weird bug when it suddenly delete all our mailboxes for no reason. The moment we saw that bug we immediately stop using it.
The support? The first guy that tends to you will always be the most stupidest one. You almost always had to insist to get/ be forwarded to a senior level support with actual brain.
tl;dr Stay 100 miles away from domain.com .
By the way it wasn't me that chose domain.com . I would never buy from any website that looks like this.
While Google's registrar seems ok right now, Google's support is nonexistent when things go wrong. Literally every bit of their support is outsourced to 3rd-party companies that provide no path of escalation.
Even the really bad registrars (and there are a ton) usually have some direct support (or resell off enom, which will extort your money for the privilege of bailing you out).
DON'T GET SCAMMED!!!... I am a single mother of 2 boys, I needed a loan to pay for tuition fees for my sons but had negative listings and bad credit records which was caused by my strugglings to make ends meet since lost my husband to cancer. I needed a way out. I contacted over 4 different hackers which I got ripped off even though i told them about my situation and that i was also widow. They were still heartless and took my money without rendering the services they promised to. I thank God for my sister who introduced me to a hacker of hers who could help. We contacted him and with a reasonable amount of money my bad listings were flushed out in a week. It felt like magic as i remember shedding tears of joy on that very day. Contact him if you need such service at QUADHACKED(at)GMAIL(com)COM. He is the only one i trust.
Using TLDs ran by monkey operators via registrars ran by barely competent companies is like screwing $5 full service hookers in NYC without a condom -- should you choose to do that you should not be surprised that you at best get gonorrhea and syphilis.