[DNS] anit hijacking provision Re: Changes to policy

From: Kirk Fletcher <kirk§enetica.com.au> Date: Tue, 27 Sep 2005 17:27:23 +1000 · This archive was generated by hypermail 2.3.0 : Sat Sep 09 2017 - 22:00:08 UTC

>
> > I think a transfer is an opportunity to apply some anti hijacking
> > and some education about audrp. the registrar can send out a
> > confirmation email with a token/code in it that the real owner
> > needs to return back to the registrar.  both sides can be given
> > information on audrp and cybersquating and should be made to
> > verify that the transfer is in good faith.
>
> Confirmation of transfer is a must, unlike the do-nothing and the
> domain gets transferred approach of TLD's, which is a pain.

I agree with your confirmation request requirement, but feel I
need to point out that with regards to gTLD's:

Although gTLD transfers are indeed a pain, the gaining registrar still
requires email confirmation from the current registrant or admin contact
before sending the transfer request to the registry (just like .au).

However, with gTLD's, the losing registrar can then send ANOTHER
confirmation email to the registrant asking them if they want to
transfer away, and (unlike .au) have the option of cancelling the
transfer.

Until last year, the losing registrar could bury their "confirmation" in
a long-winded email, and then reject the transfer on the grounds
that the "user didn't confirm."  The changes that came in last year
addressed this matter by:

1) Requiring standard transfer confirmation text
2) Only allowing the losing registrar to cancel if they receive an
    explicit transfer rejection from the customer.  If they don't
    cancel within 5 days, the transfer goes through.

It is this second point that many people (incorrectly) criticise as a
"do nothing and lose your domain" policy.  Many registrars will
now lock their client's domains by default so that the transfer can
not be initiated in the first place... and this is why gTLD transfers
are a pain...  It should be noted that with .au, the losing registrar
cannot automatically cancel the transfer (though they can chase
it up with auda if they believe it to be suspect).

The big difference with .au of course is that you also require a
domain password to transfer... this, more than anything (even the
confirmation email,) is what makes .au transfers more secure.

>
> > all of this can be done automatically and the domain then inserted (or
> > that might probably be done earlier) into a registrars standard processing
> > queues
>
> Idea works well, and should be able to be tacked onto an existing system
> without too much trouble.

Agreed... it's just another type of transfer.

Regards,
Kirk Fletcher