After recently moving my Domain name to a new provider I completed a quick evaluation of some of the “value-added” services that you can use with a registered domain name.  Typical services such as Secret Registration, Domain-Locking, contact managers, and priority support options all surfaced.

Perhaps one less popular option I came across was the Registry-Lock status that can be placed on a domain name.  You may be more familiar with the commonly used Registrar-Lock option which prevents a domain name from being transferred-out to another provider without the lock first being removed.

In contrast, the Registry-Lock facility appears to be an option that very few accredited domain registrars provide to their customers.  A recent inquiry to DynDNS (a major DNS provider that is also an accredited domain registrar) resulted in a response indicating that such a service was not required nor available from them.  It appears that other Domain providers tend to differ on the subject with a small subset actively advertising the service.  In my Research I immediately found a few companies advertising the Registry-Lock on their websites; Verisign, Buydomains.com, and Neustar Registry Services.

One of the main goals in “locking” a domain is to prevent the unauthorised or malicious transfer of the domain to another provider.  It essentially helps to stop a domain name from being “stolen”.  With locking at the Registrar level (Registrar-Lock), the owner of the domain would typically need to log into their account with the provider and then manually select the option to remove the lock before any transfers are allowed to take place.

An adversary wanting to steal a domain would be required to compromise the domain owners account in order to disable the locking facility.  Not unplausible given that online accounts are compromised every day via social engineering, brute force attacks, weaknesses in website security, or simply malware installed on the target users machine designed to steal credentials.

The difference between a Registrar-lock and a Registry-Lock is that the blocking mechanism exists at the ICANN registry level.  For changes to be made to domain records while a Registry lock is in place, it must first be removed from the registry. Accredited domain providers such as the examples listed earlier all have a facility to remove the locks, and often subject requester’s to enhanced security protocols before proceeding.

Verisign decribe their Registry Lock Service below:

The Registry Lock Service will enable you to offer server-level protection for your registrants’ .com and .net domain name records. This service can be used in conjunction with your proprietary security measures to provide a greater level of safety for registrants’ domain names and to mitigate the potential for unintended changes, deletions or transfers. With the Registry Lock Service, you can provide your registrants with the highest level of record security for their most valuable and highly visible domain names.

Perhaps one reason why domain providers (e.g. DynDNS) do not offer this option is the fact that they themselves lose some control in modifying domain records and must contact the registry directly for changes to be completed.  I also note that some accredited registers actively charge resellers for this “added value” service.

I’m interested to know who else out there is using Registry-Lock, and is it providing the benefits that you require?

You may also be interested in:

1. Switching Off Sim Lock on the Samsung W531 Cell Phone The Samsung W531 Cellphone is currently being marketed and sold...

Tags: DynDNS, Registrar-Lock, Registry-Lock

This entry was posted on Saturday, May 7th, 2011 at 12:05 pm and is filed under Observations. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.