Home / Blogs

ICANN Transfer Policy: Domain Hijacking Got Easier or Did It?

Slashdot recently ran a story about the upcoming changes to the ICANN rules governing domain transfers between registrars. A blog entry at Netcraft referenced by the story stated that:

...domain transfer requests will be automatically approved in five days unless they are explicitly denied by the account owner. This is a change from current procedure, in which a domain’s ownership and nameservers remain unchanged if there is no response to a transfer request. This could mean trouble for domain owners who don’t closely manage their records. Domains with incorrect e-mail addresses and outdated administrative contact information are at particular risk, as the domain’s WHOIS database information will be used to inform domain owners of transfer requests. A non-response becomes the equivalent of answering “yes” to a transfer request, according to the ICANN policy change.

However, a closer look at the actual rules makes it clear that it is not as bad as the story makes it out to be. The registrars still have the right to deny transfers if the domain is in “lock” status (which is a free service from most registrars):

Upon denying a transfer request for any of the following reasons, the Registrar of Record must provide the Registered Name Holder and the potential Gaining Registrar with the reason for denial. The Registrar of Record may deny a transfer request only in the following specific instances:


7. A domain name was already in “lock status” provided that the Registrar provides a readily accessible and reasonable means for the Registered Name Holder to remove the lock status.

While the actual policy change is a bit worse than it was before, it is not as bad as people make it out to be. Just make sure to lock your domains!

By Yakov Shafranovich, Software Architect & Consultant

Filed Under


Jothan Frakes  –  Nov 11, 2004 10:23 PM

This is going to play out in an interesting manner.

Although this was implemented to solve one problem (namely a situation where a registrant may be unable to transfer a domain away from their current registrar), it creates a new set of issues.

This new transfer policy has the potential to play out exactly way that long distance carrier slamming did in the 90’s over the next few months.

The new ICANN Transfer policy, while streamlining one’s ability to transfer names under one’s own management to the registrar of their choice, does in fact create a more open opportunity for someone to transfer a name away from you.

Basically, the status-quo transfer policy is explicitly one where a transfer must be opted into, and works like this:
1] Transfer request made by gaining registrar via RRP/EPP the registry level.
2] IF a domain is on registrar-lock, the gaining registrar’s RRP/EPP request is immediately denied at the registry level, STOP HERE.
3] IF the domain is not locked, the gaining Registrar’s RRP/EPP Transfer request proceeds with the next step of the transfer request at the registry.  The domain is now in pending transfer status at the registry (the status is in place for 5 days), but no transfer has occurred.
4] The losing registrar has 5 days to ACK the transfer so that it can proceed.  At this point, most losing registrars notify their registrant is emailed by losing registrar notifying them of the transfer request and that they need to acknowledge that this is what they want.
5] Either a response of NO (NACK) or the absence of a response from losing registrar registrant within that 5 day period = Transfer Declined. STOP.
6] If the transfer request was explicitly acknowledged in some manner by the losing registrar, the transfer proceeds at the registry.
7] The gaining registrar becomes the registrar of record, and one year is added to the registration term.  FINIS

The new transfer policy is such that the first two conditions remain the same with regard to registrar-lock. 

The key difference is that a transfer must be explicitly declined within that 5 day period, or else the domain gets transferred away from your current registrar.

While it is a good scenario for those who have the best of intentions in transferring their own domain to the registrar of their own choice, the new policy creates opportunity for those with less altruistic intentions for your domain name to potentially take it from you.

I personally use over 80 Registrars’ interfaces to manage a variety of domain names.  I have been frantically working to get all of my various names registrar-locked since this policy was approved. 

For the most part, there has been success, as most of the top registrars have interfaces in place to allow names to have their registrar lock status be controlled by the user, per name.  While these registrars may not add this registrar lock by default, a registrant can modify their settings themselves to their preference.

Many of the smaller registrars who either don’t have an interface or lease their connection threads to (pool/drop) registrars simply may not have any form of management panels where a registrant may self manage this status.

It is not clear that names in these registrar’s care are not exposed to potential rogue transfer requests.

The best and only protection one has against having a domain name transferred out from under them is to have their domains in registrar-lock status.

It is simple to check if a domain is on registrar-lock status by looking at the results of a registry whois for the name. 

The registry will identify that the name is on registrar-lock or not.

I have also found monitoring sites that watch domain names (i.e. DomainsBot, Godaddy, eNOM, Whois Source, more…) 

I encourage domain holders who are not certain that they have their portfolios locked down to do so and validate their settings, just to have peace of mind.

I anticipate that we will be hearing of folks whose names are transferred away from them in the coming weeks, and I hope that it is not anyone in this readership.


Michele Neylon  –  Nov 12, 2004 1:12 AM

What I would be very concerned about is the likes of DROA. As things stand “companies” like them tend to prey on the not so technically literate clients. What will happen now? Will we see a situation where more of these scammers gain ground in the marketplace at the behest of our unsuspecting clients?
It is at times like this that I am extremely happy that ccTLDs like IE are fully managed.

Jothan Frakes  –  Nov 20, 2004 12:05 AM

Domain Adminstrators, Be alert!

I had the first opportunity to block an unauthorized transfer request on a domain name on 11/17 (exactly 5 days into this new policy).

An unauthorized transfer on a domain was initiated by BulkRegister.com (allegedly by a rogue member/reseller).

This new transfer policy is a completely subutopian in the way that the burden of responsibility has been shifted to the domain owner.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Threat Intelligence

Sponsored byWhoisXML API

Brand Protection

Sponsored byCSC


Sponsored byDNIB.com

IPv4 Markets

Sponsored byIPv4.Global

New TLDs

Sponsored byRadix


Sponsored byVerisign

Domain Names

Sponsored byVerisign