Home / Blogs

Domain Registry Locking Program: It Is There for a Reason, So Why Not Use It?

It seems like every week, news of yet another high-profile domain hijacking occurs. Whether it’s stolen credentials, SQL injection attacks, or even the work of disgruntled employees, the number of incidents has been on the rise.

At the beginning of last year, MarkMonitor participated in VeriSign’s beta program to test server-level protections which were designed to mitigate the potential for unintended domain name changes, deletions and transfers. When VeriSign finally released their Registry Locking Program to all registrars, I expected to see the owners of highly trafficked sites flocking to this new offering.

However, after a review of the top 300 most highly trafficked sites, I was shocked to uncover that less than 10% of these valuable domains were protected using these newly available security measures.

So why aren’t more companies protecting themselves?

Given the value of these highly trafficked domains, I cannot imagine that the additional fees associated with employing this level of service are the deterrent.

I can only imagine that either the offering hasn’t been made widely available, or that confusion as to whether a domain is locked it to blame.

When it comes to domain locking, there is often quite a bit of confusion as to how to determine whether a domain is 1) “locked” within a portal, or 2) “locked” at the Registrar, or 3) “locked” at the Registry.

Only domains that have the following statuses are considered to be “locked” at the Registry, and cannot be modified using standard protocols.

  • client delete prohibited
  • client transfer prohibited
  • client update prohibited
  • server delete prohibited
  • server transfer prohibited
  • server update prohibited

For the owners of highly trafficked domains, I would strongly recommend adding this level of security to protect valuable domains. It is there for a reason, so why not use it?

By Elisa Cooper, Head of Marketing, GoDaddy Corporate Domains

Filed Under


Good Article Jothan Frakes  –  Feb 17, 2010 10:06 PM

This is a good point, Elisa. 

Some registrars charge extra for the ‘enhanced security’ that flipping those three extra statuses on requires and have built in new products or services around the higher security that is available for a domain like this.

I am sure that ‘so why not use it’? is a rhetorical question, but I’d reckon that adoption of these statuses is something that requires registrars to make programming changes or modify their existing systems. Many of the registrars have a ‘set and forget’ policy on such changes, or add in the upgrade as a feature when doing other enhancements, like adding TLDs.

JothanElisa isn't talking about "normal" locksVerisign introduced Michele Neylon  –  Feb 18, 2010 10:56 PM

Jothan Elisa isn't talking about "normal" locks Verisign introduced a new locking service a couple of months ago, which is a totally different system. (See: http://www.icann.org/en/registries/rsep/ 2009005) Registrars pay a premium per domain per month (it gets cheaper based on volume) to enable the lock on a per domain basis. Obviously the registrant would have to pay that premium plus a markup from the registrar's end. I've no idea how many registrars have actually signed up to offer the service nor how many have actually deployed it. Regards Michele

Actually, doesn't seem like such a mystery Christopher Parente  –  Feb 19, 2010 4:50 PM

Thanks Michele for the added context, although the link doesn’t work.

I haven’t tracked this issue, but seems to me the answer to this question would be contained in any market research VeriSign did before introducing the new feature. Was consumer demand indicated? If not, it’s no mystery that registrars aren’t eager to incur a cost if they can’t make the $ back from registrants. Nor may registrants be eager to pay extra to prevent mistakes being made.

Elisa—a question. You link in your piece to a TC article talking about a DNS Cache poisoning attack. Cache poisoning is possible due to a fundamental flaw in the DNS protocol. I don’t see how any new locking service is going to prevent those types of attacks. Am I missing something?

Christopher - take the number out of Michele Neylon  –  Feb 19, 2010 4:53 PM

Christopher - take the number out of the URL, go to the link and look for the document with that number. It will make more sense :) Sorry - there was no way to link to the RSEP directly Michele

I don't believe this paticular incident was cache poisoning Elisa Cooper  –  Feb 19, 2010 10:22 PM

Christopher - I don't believe that this most recent attack was cache poisoning. Please see link below: http://economictimes.indiatimes.com/infotech/internet/TCS-falls-prey-to-cyber-attack/articleshow/5550038.cms

Thanks Christopher Parente  –  Feb 21, 2010 2:37 PM

Thanks Elisa for the article. Doesn't sound like the author knows how the attack occurred: Such denial of service could have been possible due to two-three reasons, the DNS server could have been attacked/ hacked or the cache was hijaked, taking advantage of some loopholes in the system. Do you know if Network Solutions responded in any way, after Tata pointed the finger at them?

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Brand Protection

Sponsored byCSC

Domain Names

Sponsored byVerisign


Sponsored byDNIB.com

Threat Intelligence

Sponsored byWhoisXML API


Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

New TLDs

Sponsored byRadix