Using TLDs ran by monkey operators via registrars ran by barely competent companies is like screwing $5 full service hookers in NYC without a condom -- should you choose to do that you should not be surprised that you at best get gonorrhea and syphilis.
Here is the obligatory post about how bad .io treated security less than 1 year back [1]. Someone was able to take over the whole .io zone just by registering a few domains.
That's a horrible situation, and one I'd encourage everyone to try to avoid - register production critical domains with a company that provides live phone support and stick with tried and true TLDs.
Yeah, it may cost more, but this story just illustrates that you're staking your entire company on a $15/yr service, and you get what you pay for.
Even if you want to run your marketing/landing page/etc off a .io or other fancy tld, run your production stuff off a .com or country-level equivalent so your customers aren't left in the lurch if something like this happens.
Indeed, there's a reason large multi-nationals use companies like MarkMonitor as their Domain Register, even if they could get the same for $30/year, the potential loss in revenue and brand damage could be worth tens of thousands.
It is a much harder balancing act for a startup, finding a domain register who is reputable and responsive but not "overly" expensive. Even if your entire business relies on it, $1K+/year just may not be in the cards even knowing the risks.
I haven't used it but Google Domains claims they have telephone support and are reasonably priced. Might be worth people checking out, their Gsuite support has been pretty good.
Paid gsuite has live 24/7 phone support. I've used 5-6 times over 8 years and gotten 5-star service every single time.
Haven't needed to call them in the past 18 mos. or so, however, and these things can change.
I have gripes about aspects of gsuite itself, in particular how they've removed a few features that I used from the $5/user/mo tier. Had to move to $10 tier to keep email content filtering (ability to use regex to prevent accidental SSN or CC inclusion). The filtering setup is much easier to use now, but the old system worked well enough.
>Paid gsuite has live 24/7 phone support. I've used 5-6 times over 8 years and gotten 5-star service every single time.
I've been a reseller for most of the decade and I can honestly say in all the times we've called, we have never had a single issue corrected by support. We usually end up having to find workarounds for bugs. The last time was an autosuspension our panel(s - there are two versions now) would not let us un-suspend the client. This left him without email for a week, while support would only respond during the early AM hours, and would repeatedly ask us to prove identity, even though we were registered resellers with admin panel access.
In all the years of working with different vendors, I honestly cannot think of a single one with a 0% success rate in their support.
Office 365 is pretty close to that, actually. You need Premier support to get anything useful.
My favorite O365 support story is where first level support dicked around so long with a missing mailbox that by the time they escalated the ticket, their backup had been overwritten. Luckily it was a user’s archive mailbox and we still had their source PSTs, so not a lot was lost.
> Office 365 is pretty close to that, actually. You need Premier support to get anything useful.
I haven't had too much experience with their service support, but their app support seemed decent. I was having an issue with S/MIME signatures not being parsed properly on Outlook iOS. Support chat seemed competent and knew what was happening (no support for S/MIME signatures yet).
You don't have to go all the way to $1k+/yr to get much more piece of mind. For well under $100/yr, EasyDNS offers fantastic support.
My go-to example of their customer service philosophy: A number of years ago, there was some problem in the electric grid that resulted in power outages over most of the Eastern US and Canada. In response to just their customer service being unavailable for 1 hr during the much longer outage (their production services were unaffected), they offered me a partial refund without me even knowing what had happened. I didn't take it.
Usual disclaimer: Not affiliated with them in any way other than as a satisfied customer for more than a decade.
Ditto. Very happy with EasyDNS these last 6 years. Had some wierd renewal issue 3 years ago similar to what the OP described but had someone on the phone immediately and the problem was resolved within the hour.
Even the most reputable tried and true do not guarantee anything. They can and will kick you out on a whim.
You can still mitigate the risk though. Use multiple domains in all marketing materials from different tlds and different registrars. Use regional domains. Have alternative ways to communicate with your customers. It's all very basic stuff. Merely thinking about it gets you far. Most people don't even think about it and blindly rely on centralized services: domain registrars, dns providers, cdn providers, single hosting/cloud provider, etc.
Would you mind providing some details on this approach? Multiple domains in marketing materials sounds like it would create confusion among customers. Are you specifically referring to companies with an international presence? Thanks
In practice people don't think about or even look at URLs, that's why phishing works. They recognize sites based on logos and stylesheets and often go to places by googling the brand name and clicking on the first link. If you forward every domain to a primary domain at the DNS level, your pagerank probably won't be hurt by this practice.
to go a step further, adding out of band contact info is a big deal.
Forward mycompanyname@gmail.com to info@mycompanyname.com and give it out in the emergency support info for support contracts Add it to your status page as needed, (which should be running on someone else's service or mycompanynamestaus.com).
Customers that really need your service, like the ones who pay, will check the status page and can update the endpoint as needed.
Make sure your sip lines don't point to mycompanyname.com.
If you publish a client side app, use 2 domain names as endpoints, mycompanyname.com and mycompanyname.io. Have the app or service check for and fail over if one doesn't work.
Make sure paging and technician notification is handled by a system that won't be affected by this. (nothing more amazing then getting 200 pages AFTER you've spent 2 days recovering a total failure of a system. You just want to go to sleep but you have to wait for the email queue to drain since you can't turn your pager off.)
Either way, use 2 domain names, and set them to expire at 6 MO intervals. Buy the domain for 2 years (or more) and renew every year so you always have 1-2 year lead time to sort out issues.
The list above would probably cost about $200/year and a few extra hours but it keeps you from getting backed into a corner. Everything else in our infrastructures has fail overs, and limited blast radius for failures.
We tend to us domain registration as a single point of failure and one one even things about it.
Even if you pre-plan, how many of your customers will think some random e-mail from a totally different domain explaining the situation are not a Phishing attempt? (The percentage that don't .. are probably the percentage with the least security sense).
Perhaps, though, in this situation, the had 2/3 days to make people aware.
Also, if the call customer service and you validate it, then they are only offline for a couple hours not days. Also, you should have a status page or twitter or something out of band that you tell people about the day they sign up. You can update there.
EVERY production service with customers needs an out of band way to update. And you have to build and announce that before you need it.
This is no guarantee. GoDaddy and Google Domains, in particular, have demonstrated willingness to throw you into clientHold hell for political reasons, even for "tried and true TLDs".
I'm pretty sure you can find a DC at either AMS-IX or DE-CIX where the contract won't allow them to kick you out during the politically heated time (i.e. you should find somewhere with a 1y+ term), and iirc both exchanges have, due to their non-profit nature, no ability to kick you out unless your actions are actually illegal. So, unless you get shut down by a court of law (both host countries have them (well, almost, but compared to the US they are great)), you get sufficient bandwidth at those providers.
Ofc eyeball networks can blackhole you w.r.t. their customers, but that is a whole different hurdle compared to just refusing to do business on the basis of freedom of contract/freedom of association.
Sure it will cost you, about $6k/month for 100Gbits, not including hardware and rackspace. But if you are 'just' concerned with your static website staying online on the clearnet, this should be affordable (i.e., you should be able to host them from ram, and serve up to 600Gbit/s from a 1U AMD Epyc, for like $7k in hardware, not counting the ram (15$/GiB of content you want to host, with a minimum of 32GiB, up to 512GiB getting a discount, and up to 2TiB being possible)).
Don't depend critically on companies risking political alignment with you, if what you do has any significant risk due to political association.
>The Daily Stormer, a website with highly controversial hate speech, was recently scrubbed from the Internet.
>A store cannot have blacks only and whites only bathrooms or water fountains.
It's amazing how someone can unironically defend the plight of a website that they admit produces "highly controversial hate speech" by comparing it indirectly to none other than racial segregation.
All I'm saying is that their own analogy is alarmingly lacking in self awareness, not commenting on what I believe.
Frankly though, this is blown way out of proportion. Plenty of people will do business with them. The Daily Stormer is just the ultimate martyr. They have mastered the art of doing one thing and saying another. They absolutely incite violence and hate, but they're careful to also simultaneously distance themselves from it and play the victim when they wonder why no big company really wants to do business with them. There's a reason why 4chan never really had this issue despite similarly controversial content and the answer isn't just "politics."
No, in my opinion, the real problem is that The Daily Stormer as an entity, is an Asshole. And just like they would in real life, they're being kicked out. Nobody has really made a compelling case otherwise, everyone seems more concerned that big companies actually made a non-nuetral decision (something I wish they'd do more often in the era of fake news and large scale abuse, an era they facilitated...)
I see no slippery slope here. There's a balance to be had.
Given how quickly people are to falsely group people (e.g. Ben Shapiro and Prager being called Alt-Right), I see a huge slippery slope. There really is no balance to be had since balance requires nuance which doesn’t seem to scale, ask YouTube.
Network Solutions is an utter joke. I had them develop a website and the website was finished with web best practices from 15 years prior. Messy code, zero responsive design. Photoshop used to the max. Then the same website hosted with them was mysteriously "hacked" and disappeared. They had zero backups and continued charging to host the website they lost. Absolutely zero recourse for their incompetence. STAY AWAY
I used Network Solutions when they were the only game in town. Switched to Register in the late 90s. Just stuck with them because I didn't have any issues.
In the last 5-10 years the issues started growing. Finally, I hit a wall and transferred everything off their service.
I now get spam emails of them trying to trick me into switching my domains back. The vitriol their helpdesk people receive is about as shitty as I get. Maybe they don't deserve it in their role, but hopefully the angry emails will get them to find a better job asap.
Granted no one ever appears to use .io for it's original purpose as the ccTLD for the British Indian Ocean Territory...
ccTLD management is delegated to a company in that nation usually. Unfortunately not all of them are equally well managed - I wouldn't consider gTLDs _exactly_ comparable to ccTLDs in this regard. ccTLDs get to differ in pretty key ways from gTLDs, including deciding their own dispute resolution processes (gTLDs all use the UDRP).
My registrar suspended my domain because an abusive user was using a subdomain for phishing. They told me they can't inform me first of abuse so I can deal with it; they'll suspend the domain immediately.
Who's a good registrar that will contact me first if they get an abuse report?
Yep, I've learned that hosting other people's stuff on your domain will harm the domain's reputation. Use a different domain for user content, and make it fungible.
The problem was the phishing, not the subdomain. If your app allows users to run phishing operations, moving the content from user.foo.com to www.foo.com/user probably won't help much in parent's scenario.
No. The problem is the subdomain. Allowing people to phish on a subdomain is lending the phisher the credibility of legitimate websites hosted on the domain. It’s like lending a thief your uniform so that he can disguise himself as an employee. You’re an accomplice when he uses it to steal.
I have to disagree. A phishing scam from "billing.foo.com" would be much harder to spot than one from "user-content.foo.com/billing". Especially if the user has free reign over the style + content.
If the user is going to be able to design + style the pages any way they want, having something in the URL to indicate it's still user content is important.
I've been happy with EasyDNS for more than a decade. They charge a bit more but treat customers well and in the few instances where I've contacted support, they've been great. I know there's a lot of cheaper registrars, but $1/wk doesn't seem like a lot to me to never worry about this stuff.
> How is abuse reported? Can I be made aware of reports of abuse before the domain is suspended?
And support responded:
> Abuse reports can be submitted to our Abuse Team via email using registrar-abuse@google.com where reports are analyzed and investigated further. Warnings are not given out, however, unless the reporter also reached out to the registrant of the domain in question. If a domain has been found to be in violation of our terms of service, the necessary actions are taken.
It’s your domain. They are under no obligation to report to you something you are doing. Phishers would use these emails to test whether or not they’re avoiding detection.
The timing of this is an amazing coincidence — I recently “lost” my domain in the same way. I bought it originally on Namecheap but have since transferred all my domains into a singular Google Domains account. My main domain, where I have my personal site and all my important emails, disappeared without notice on Wednesday the 9th last week. No expiration notice sent, no information as to what had happened.
I contacted Google as soon as I noticed and hey have been alright to deal with. Fortunately I am a Gsuite customer. I had to pay a fee to renew and another fee to restore, which was over $100. It’s been in “restoration” mode, ie offline, for days now and I am unable to even touch the DNS records until it’s back. I’ve already lost a week of uptime with zero recourse. FWIW I use a .co domain, and my site was throwing (for 24hrs or so) a splash page saying the domain was suspended.
Eagerly awaiting for it to come back but I’m totally in the dark as to timing.
I get so many emails from Google leading up to and after expiration it's a nuisance. As for parent's issue, I think if you let your domain expire that's 100% on you.
The domain did expire, though I was never made aware of the upcoming expiration. My assumption is that there was some glitch between Namecheap, Google, and the .co domain authority... but I still don’t know exactly how my domain expired so silently. All my other domains were purchased through Google, this one was transferred in.
It really was a massive headache. I have no idea how long it would have taken me to notice (site is my authoritative presence on the web, but is a static personal page — no marketing or sales) and my email is a light trickle of messages by design: bills, bank statements, close personal relationships. Fortunately my brother told me his wedding invite bounced a day after going offline so I could follow up relatively quickly.
I filed a ticket with Google and got first line support within an hour. They confirmed it was still in Googles system. Then I was assigned a Senior Specialist who called me on Monday to confirm ownership. It is now Wednesday and my DNS records are still inaccessible.
If I were you I would definitely set an independent annual reminder to check your domain status, just in case.
Yeah, NameCheap is pretty flaky with the warning emails. I once had their WhoisGuard service expire (it was on a different renewal phase from the actual domain, for some reason), and I never received any warnings about the service expiring until they sent an email to notify me that the WHOIS records had been automatically updated.
I've since added a monthly calendar reminder to log in to all registrars and verify all services are still enabled and correctly configured with plenty of time left.
I have the opposite issue with namecheap. I have my domains on auto-renew, and every time they're about to be due for their renewal, namecheap sends me a scary email saying I don't have the funds to renew, and only the next day do they auto-renew my domain.
I had that happen with them, when I first finally decided to trust their system to save my credit card information and turned on autorenew. Support told me it was/is because I have a couple of dollar balance with them from years and years ago, back when something involved making a transfer payment to my balance with them and then executing against that balance.
If you have autorenew set, it first tries to draw against any existing positive balance you have directly with Namecheap. If/when that doesn't work, it then next tries your preferred payment method (e.g. your registered and designated preferred credit card).
I was told if I found a way to clear my couple of buck balance with Namecheap, I'd no longer get the warning email. The first attempt would be against my credit card, which would work, and I'd just get one success email (after preceding "upcoming" emails and all that).
I don't know whether this is correct. It's what I was told by support over chat, IIRC.
One of the reasons I use Namecheap is because I've had good experiences in this realm. I get domain renewal and WhoisGuard notices a month before, a week before and on the day of expiry itself. Namecheap then always keeps expired domains in a grace period status for about two weeks where I can still renew after expiration.
About a day before they're completely unavailable for renewal, I'll also get an email from CloudFlare saying the nameservers aren't pointing to CF anymore (I use CF for active and parked domains.)
>Namecheap then always keeps expired domains in a grace period status for about two weeks where I can still renew after expiration.
That is standard behaviour for a domain-registrar, when a domain expires. When a domain expires the previous owner can re-register it during the grace period, after that for an extra fee it can be renewed in the redemption-period.
Finally just before a domain is available for re-registration by an unrelated party it will land in the pending-delete state.
Just add onto this, the grace period is normally 10-20 days some registrar's leave the domain working during this time but some take it down. Then it goes into a "redemption period" for anywhere between 25 - 60 days. In the redemption period the registry tacks on a fee that is somewhere between $60 - $200 so the extra fee gets kicked up the chain.
Wasn't Op complaining about Google DNS, not Namecheap? I've never had any notification issues with Namecheap after almost a decade of them managing most of my domains. If anything they over-communicate about expirations and auto-renewals. Auto-renew works well and even after an expiration it's usually easy and fast to get your domain back up.
I've used name.com for years and thankfully haven't had any of these issues.
Still domains are so cheap and these horror stories are so common that I realize this can happen with any registrar. There isn't enough publicity over issues like this for people to leave en-mass, so financially I can see this happening. I know one small registrar company and it's like 10 people and they write everything in Perl and run everything in Docker.
Fun thing about name.com. I suggested it to my girlfriend and it turns out they don't require e-mail validation. She mis-typed her e-mail address when she registered, and now she can't get into her account. Forgot password doesn't work because it tries to e-mail an address that doesn't exist. She tried to contact them several times but I don't think the support staff understood the situation.
If you have to engineer a solution due to problems caused by the failures of those you depended on to deliver the expected level of service then the entire solution is over-engineered.
Over-engineering is when you make something to be more robust than is necessary for it to work successfully. Evidently depending on the registrar actually failed here (just as it has for many in the past), and this will surely happen again in the future. I don't see how making your system robust to failures that actually come up is over-engineering. It sounds more like just plain old engineering. (And I honestly also fail to see what is productive about pressing on with this conversation.)
I use Google services for all my domain-connected stuff via Gsuite; that includes Hangouts, Google Drive, Gmail, Google Docs, Google Contacts. On a whim I decided to transfer in the domain. I also use Google Domains, now, to register domains for no specific reason.
There are no features or perks that I know of that compelled me to choose one registrar over the other. It was just a random act.
While they did cut it close for looking at renewal status, based on the following quote from the article, I can infer that the domain was set to auto-renew:
> I knew our domain should be renewed about these dates, and we were already billed for this renewal.
Never heard of domain.com. If anyone wants a recommendation I use namecheap and have never had a problem. They are supporters of the EFF and Net Neutrality.
Edit: If you are going to downvote, state why. Namecheap is a good service for a good price and supports Internet freedom. When even GoDaddy was supporting SOPA Namecheap took a stand against SOPA.
Namecheap online support is seriously kick-butt great. Only complaint is that they don't support Letsencrypt certificates with their web hosting plans.
I use Namecheap and I generally like them. However I was having a repeat issue for several months using them for DNS with DNSSEC enabled. Basically, validation would fail because they'd let their records expire and "forget" to resign them. I'd notice my domains failing to resolve, and had to manually create a new record and delete it to force all my records to be resigned. Support seemed clueless, and I stumbled across this workaround by accident.
I opened multiple support tickets with them, and each time the issue would re-appear in 1-3 months. Went on for probably a year or so and I was just about to move to a different DNS provider when it stopped happening.
I use domain.com and had TONS of problem. I've never had any problem when buying from anything that is not domain.com (even if i had any, it wasn't as fucked up as domain.com's issues)
My complaint is Namecheap bundles useless junk services with the domain for free the first year even though I never asked for them. Then come the second year, they charge you for it without sending any notifications about renewing those services as well. I have had this happen to me and it is really annoying since I had to argue with their support for a few days to get a refund
I had some fun with NameCheap and the xyz tlds.
Turns out, CentralNic (who actually runs the zones) was not doing proper validation on the glue records, and not removing old ones. NameCheap was sending CentralNic cached records, and managed to foobar my domain glues.
I bypassed NameCheap, because I knew they weren't the ones actually maintaining the records (registrars are just middle-men.) Using the DNS contact in the SOA, I got a response within 12 hours, and it was fully resolved within 24 hours (minus propagation.)
CentralNic contacted NameCheap, as did I, and they got their system fixed within the week.
Back in the late 90's before it was Verisign (I can't recall the name), my domain registration could only be changed with an email from my domain. Of course I didn't have my domain up since I switched ISP and had to move my DNS and mail server. Catch 22; what a cluster fuck. Weeks of phone calls with no resolutions.
I was going to Virginia anyway, so I physically showed up at Verisign (I wanted to bring a baseball bat), and explained it to the lady at the front desk. She came back with an engineer who fixed it in 5 minutes.
As a side note, had to do something similar with Garmin. They kept sending me GPS units with horizontal LCD polarization, when vertical is the standard for sun glasses. Showed up and told the clerk to put on my sunglasses and turn her head sideways to her LCD monitor. "Oh yeah, I see". She fetched an engineer, and 1 week later had a GPS with correct polarization.
Sometimes it takes a physical presence; baseball bat optional.
> before it was Verisign (I can't recall the name)
NetworkSolutions.com
> so I physically showed up at Verisign (I wanted to bring a baseball bat)
Did you think to write a simple postal letter to them (say a VP or the CEO) rather than get angry enough to show up with a bat? Or send Fedex? Sure you shouldn't have to do that but from a practical angle it may have paid to do that.
If you hold up two polarized sheets and rotate them, they'll get progressively darker until no light passes through when they are perpendicularly aligned. YouTube should have some videos, it was a pretty entertaining physics lab experiment.
Also more generally, once upon a time a GPS (Formally GPS Receiver) was a device the size of say, a multimeter, with a big battery pack, a simple monochrome unlit LCD panel display, and a radio (later, more expensive units had several radios). The device is doing fancy mathematics, and just receiving GPS signals, even the metadata about where to look for GPS satellites in the sky is available, very slowly, over GPS. It has no other source of data.
So you'd buy one or turn it on after uncrating it in a foreign country, and it'd literally spend ten or fifteen minutes calibrating, figuring out what the time is, what satellites are on what frequencies and which are above the horizon before it could at last discern your position. This was amazing if you genuinely didn't know where you were e.g. "Hmm, a desert". But you'd never have used one to go shopping - it took far too long.
Today your phone has a GPS with lots of radios (so it can listen to every satellite at the same time) it always knows the rough time,and it uses the Internet to get public shared data rather than wait to receive it slowly from GPS.
I used a free domain coupon from domain.com a few years ago, and was spammed with both snail mail and robocalls (advertising services for the domain) for months afterwards. I don't know whether they're selling customer data or what, but it left me with a very negative image of their company.
> I don't know whether they're selling customer data or what, but it left me with a very negative image of their company.
Whois is public and has always been as required by ICANN. If you don't understand how things work then be fair and don't blame what you think is the obvious cause or reason. There are valid reasons for whois being public and all registrars have this in their agreement and it is widely known.
Don't use *.io anyway. The domains are being sold under a very morally dubious arrangement, given the UK kicked all the people off the island of Chagos and gave the domain registration to a private entity.
Uhm, wait, did you just recommend Google with their automated support? Or does Google Domains have better support since you're paying? I'm genuinely curious about that.
While Google's registrar seems ok right now, Google's support is nonexistent when things go wrong. Literally every bit of their support is outsourced to 3rd-party companies that provide no path of escalation.
Even the really bad registrars (and there are a ton) usually have some direct support (or resell off enom, which will extort your money for the privilege of bailing you out).
That's the point. Domains causes no problems. Only in some weird scenarios, things can become troublesome. In those cases you need a support. In others you don't.
If you have a domain registrar with a good support, account the premium you pay as such: a premium for an insurance when things go bad.
I recommend using easydns.com as the registrar and DNS service. Their email helpdesk is fast: <30 minutes. They answer the phone immediately and they are knowledgeable. Phone support is during business hours, but the more expensive packages have 24hour support.
And yeah, you need to have a lot of faith to use .io or other new TLDs which are serviced by new companies.
Okay, anyone want to confirm or add other DNS registrars to the "One of the good ones" list?
Ive been recommending my friends to do the entire thing through Dreamhost including a WP install.
I personally am more technical, and have my domain name from 7 years ago on godaddy. Any suggestions on where I should use? How about my incompetent friends?
They say that the "DNS PRO" offer has 5 million queries/month. Is that a lot? Do they enforce the limit? That's 7000/requests/hour (or 115/minute or 2/second). That's not PRO in my books.
DNS results typically get cached for at least a few minutes, and most users use ISP or public DNS servers (eg, Google, CloudFlare, etc) which only do the lookup once for many users, so your authoritative DNS server will see only a fraction of the number of web requests you actually handle. I'd guess for most sites this is probably below 1% in terms of requests per second.
I generally avoid metered services where cheap unmetered alternatives are available.
First of all, 5 million DNS requests sounds like very little. It probably isn't due to caching, but it's hard for me to judge what I need/whether that's enough.
Second, what happens when someone who doesn't like me decides to make 5 million DNS requests? 5 million packets sounds like something a decent connection might be able to fire out in a few seconds. If I pick their highest plan, will a person that has a grudge and a fast link capable of IP spoofing cost me $2/second (theoretically $5M/month, although I'm sure they'd show some mercy at that point)?
Something that scares me regarding domain names is their variable cost. I purchased a .sexy domain for a joke website and its price got raised by +70% less than one year after that, making the joke a lot less appealing. There’s no guarantee that when you purchase a domain name it reasonably stays around that price for years.
Build a business on a domain -> the name increase by XX% -> you’re screwed and must pay.
.sexy is about 60-100$ per year. If you've build a business on it, paying double the amount should not hurt.
For me the most important thing about this new gTLDs is more about reputation of the gTLD registry. What if these go out of service? I'm pretty sure that there exist a protocol for that case, but I'm also sure that domains in a less popular new gTLD space might get far less protection from ICANN than any non-sponsored gTLD.
> sexy is about 60-100$ per year. If you've build a business on it, paying double the amount should not hurt
I feel the issue is the lack of transparency and control. Who is to say some registrar won't start charging people per visit or % revenue in the future?
Sure, I hear you. If it's a registrar, it's okay, simply change it.
For a registry, I believe that they would risk their mass market business cases, but I'm also very sceptical about those ngTLDs for that reason.
ccTLDs can have similar issues to the new gTLDs - the administration of those is contracted out by ICANN too, usually to a State level body of some kind. The quality of these varies hugely as well. This is also why countries with desirable ccTLDs like .tv (Tuvalu) abuse their position by charging more for their TLD.
.io as used in this example was a ccTLD, and this issue was directly caused by its mismanagement.
I recall UnitedDomains (German provider) who wanted me in 2016 to fax the request to update the contact information. Fax it.
Times are mature for the equivalent of Letsencrypt for registering domains, something like Letsregistrar.
We need to have this inefficient industry wiped away since it's really too much manual and too much in the way.
If somebody wants to found a noprofit to create a free registrar, I'm 100% in.
United Domains rely on manual things very for a large part of domain related service processes which are "uncommon" for a private or small domain owner.
> If somebody wants to found a noprofit to create a free registrar, I'm 100% in.
For the German market I remember the good old times with InternetX before they were bought by United Internet. Had some good talks with their tech support back then.
A "free" registrar is maybe not the right solution. The key is "care" for your domain. Take your example of "letsencrypt". They exist because they automate everything. They don't "care" if your certificate causes troubles, they'd just fix their API. With domain registrars the story is different: You need a good support to prevent fraud, you need a good contact to registries if something goes wrong. Key learning here is: In 99% of the cases with domains, everything is fine. But if you find yourself in the 1% where trouble occurs, you need immediate support of competent people. Not sure if this is a case for a "community" or "free" registrar. More a business case for MarkMonitor without the Brand Protection: Simply a domain registrar who cares.
I always wonder how people care about "good prices" if they choose a registrar. Quite often the domain name is the most valuable asset of your company. As long as you are not a domain squatter you shouldn't care about if you pay $10 or $1000 per year. And if possible register the name for the next 10 years in advance.
I agree, but not all domains are fully fledged corporate entities - some of us just throw together fun things randomly and for that it's nice to have an $0.88 TLD.
nearlyfreespeech.net provide great service, notifications and overall highly recommended. been customer with several domains transferred or registered with them over the past tears
I transferred two domains from Ghandi to Lunarpages over a decade ago. Somehow, Ghandi's anonymization service was still enabled, and as a result, my domains were blocked a few months ago.
Took about a week for Lunarpages to straighten out.
(BTW, the spam calls started immediately after Lunarpages fixed the problem. It's a great thing that the EU finally twisted ICANN's arm over this issue.)
I recall a time when a company I had association with lost their main domains due to a failed renewal. In this case it was a long-term employee who left the company that had loads of company bills going to his card. He cancelled the card sometime after he left and the domains were not renewed. I’m not sure where the renewal failure emails were going but probably some unmonitored admin email box.
These were very important domains. Without them, this $1 billion+ company immediately lost all of its ability to generate revenue. It was quite shocking.
The problem was discovered when users started getting the registrar’s landing pages rather than the company website pages. It was fixed relatively quickly once identified but do to DNS propagation took about 48 hours for complete resolution. During the window unrecoverable revenue well into the hundreds of thousands was lost.
It seems to me that a domain renewal is always a risk, even with a highly reliable registrar. A good defense is to limit the renewals for important domains by registering them for as long as possible (10 years). Even then you have a weak spot because your credit card will be expired by then so you should back that up with a calendar reminder a few months prior to renewal to make sure everything is set.
Personally, I'd rather have a corporate domain be renewed once per year and have a defined process for it (e.g. literally have a binder somewhere listing all the details, and put reviewing it on a checklist of other yearly legal and financial tasks) than have it be forgotten about for 10 years at a time.
I've set it up before to have 10y which is the max, and renew for 1 year every year. So the domain always has a lead time of 9-10 years but it is still renewed once a year for practice. for most domains thats like 100 bucks to lock it down for 10 years. You can also monitor the domain expiry in your monitoring system i.e. nagios or whatever you are using.
The problem with relying on auto-renew is that, sooner or later, your credit card will expire (or the employee who was in charge of the domain will be gone) and the renewal will fail. The account needs maintenance one way or another.
> A good defense is to limit the renewals for important domains by registering them for as long as possible (10 years)
This is an interesting take. I prefer the opposite approach: choose the shortest possible registration window (1 year), and have a very clearly defined, properly-documented renewal process that multiple people at the company understand. It's unlikely that all of those people leave the company in a 1-year window, so the knowledge gets passed on reliably.
If a renewal happens only once every 10 years, then it seems very likely that the person responsible for it has moved on, knowledge around the process is lost, and at best the documentation is very out-of-date (but more likely it's missing).
My process is to have a shared calendar for these high-risk renewals. Top company officers should be on this calendar (CEO, CTO, and some engineering VPs). The calendar contains recurring events for domain and SSL cert renewals. These calendar events are set up for about 1-month before the actual renewal, and fire reminder emails at several intervals beforehand (in case people are away or on PTO).
We had this same argument about certificate expiration on a code signing project I worked on.
I maintained that having to remember to renew a cert every September was more likely to stick with someone than 18 months or two years. It also keeps your blacklist smaller because dead ones age off faster.
I don’t recall how it ended up but we added automated reminders every 30 days starting three months before expiry.
10 years sounds a bit inflexible for me. Things can get a little weird if you switch registrars but you have more than 9 years left on your domain so you can't get a full additional year.
I do try to maintain a margin of at least 3 years on important personal and business domains, though.
Less than 37 months left = immediate attention required.
I personally found a period of 1-2 year to be the absolute worst. On the next cycle the man is gone because it's past the average tenure. The emails about it were lost or auto deleted. Any documentation or process is useless because the company or the supplier has changed.
To have a process be remembered, make it monthly or quarterly.
Not necessarily, most registrars will let you renew for a full year or more at any time. Buy both on the same day, set a reminder or open a ticket to renew only one domain in 3/6 mo.
Also, get a registrar with an API and use a script to figure out how long a domain is valid. Alarm through your monitoring system when you hit the too close for comfort time frame.
You can scrape whois as well but that seems fragile.
The monthly process isn't necessarily to renew domains - it is to assess the situation to see if there are any that need renewing soon. Many months nothing will need doing, a couple of months per year something will need action.
Even as a small company we have a number of regular infrastructure reviews. Most of the time we just go through the review, find nothing has changed unexpectedly and no new ideas need bringing to the table, we sign off to say all looks well, and the prices takes very little time. Some of this is automated: scripts collate and report information for signoff and we humans verify the result and take actions as needed (in some cases the action needed is to update the script(s)). This may seem wasteful, but a couple of people spending a couple of hours total per month on such checks can save some nasty surprises in future.
Domain status checks is one of the things that gets reviewed.
This is why it's important to use job scheduler software, admined by a NOC, to generate your own internal reminder emails set for a specific date and time in the future. The process of renewing a domain or buying anything that requires renewal should include a step to create the future reminder job.
This is vastly more powerful than you need to simply call a shell script which generates SMTP email to your noc@companyname.com address, but can serve the purpose:
You can use this for all sorts of things like maintenance notifications, automated emails to a facilities group on N schedule to change air conditioning filters, whatever needs to occur on a specific recurring time schedule.
It's also important that these notifications are sent to an address that is permanently assigned to a role, e.g. noc@company.com, rather than to any particular person, e.g. steve@company.com. Steve might not be there the next time those domains come up for renewal.
The same rule applies to any email address that you use to purchase and renew domains and other critical services. If renewal emails are being sent to someone who doesn't work there anymore, something is very wrong.
Why not renew for ten years, then every year extend it by one more year. Best of both worlds and if something screws up, you have 9 more years to fix it.
No, for SSL certificates there's value in having a short expiry. For example if the private keys leak. There's no value in having a domain name (that you want to keep) expire.
The value is in forcing you to keep it in mind. You don’t forget about things you have to do every 3 months as easily as something you have to do every 10 years.
While this statistically might be true, I believe that this is completely dependent on one's personality. Having extra chances to remedy a trouble (which, as can be seen from the article, may occur due to reasons completely out of hand) has notable benefits, such as eliminating such prolonged downtimes.
It is like having replacement toothpaste ready for your bathroom. It is such a nuisance to go out and buy it on the day it runs out, and more likely to have a day without if you do not keep replacements ready.
Good luck proving I have any connection to the company in the foreign country sending you the invoice.
Also, if payment isn’t received within 30 days you can expect to see the domain forwarded to a “for sale” page.
And given how fast the legal system moves especially across international borders, you will lose hundreds of millions in revenue before getting any kind of verdict, possibly even go bankrupt.
Yeah, corporate attorneys and the legal system at large have never dealt with extortionists with your creativity before. I mean, doing it anonymously AND with a ticking time bomb element, only a true master villain could have thought of such a brilliant scheme!
Could you do an AMA once you get out of jail? I'd love to see how this all turns out for you. You seem to be the kind of person who just makes fantastic life decisions.
Do check with a criminal attorney before doing any such thing.
“It’s a nice domain you have here, be a shame if something happened to it” sounds cool in the movies, but in the real life it may be treated as extortion and land one in jail.
Domain name dispute resolution policies would find in the company's favor pretty much immediately (due to their trademark rights, and your registration with bad-faith intent), so they'd get it back reasonably quickly one way or the other. :P
I know everyone thinks police are going to investigate and that I’m definitely going to prison, but the sad reality is they probably won’t and I’d probably never see a jail cell. They might look into it, maybe even setup a sting operation, but then in the end nothing might come of it anyway.
Trust me, I know of a ex-cofounder in a previous who company who took off and disappeared with $175k from the company bank account, and despite our best efforts at getting justice or the money back, no one really gave a fuck, and there wasn’t much we could do unless we wanted to get into very expensive legal battles using money we didn’t have, against a person that was hard to get a hold of and with no guarantee of getting our money back, at least anytime soon (years). It was much more practical to just cut the losses and move on, making sure we could do everything to prevent it from happening again by someone else.
And the truth is this is how it is for a lot of things, the successful cases you hear of are really just a small percent of the crimes. Just don’t pick a fight with someone who has the money and determination to hunt you down to the bitter end. Most people eventually give up. Unless you’re killing people or running drugs, there’s a lot of criminal arbitrage you can get away with due to how slow and how apathetic the law is.
Though I sometimes do think about the price I would have to pay if there was a reckoning.
The Chickenshit Club (that is, federal prosecutors in the last ten years) means that big company management can get away with white collar crime, paying other peoples’ money to make charges go away.[1]
Workers or little people at big companies are still subject to prosecution for white collar crime. And apparently since criminal prosecutions are time consuming DOJ has decided to deprioritize them, so if you commit white collar crime for small dollar amounts you’re also likely to get away with it.
Just don’t pick a fight with someone who has the money and determination to hunt you down to the bitter end.
You're not making any sense. You started this entire thread by talking about how you'd hold this $billion+ company's domain ransom for tens of thousands of dollars per year, so your sad tale of woe about how you couldn't afford an attorney to chase down an embezzler is irrelevant.
To be fair, unless you're a big company I'm pretty confident this could work. I don't know what police entity I'd have to turn to here in Belgium to complain about someone in the US running off with my startup's domain name. You'd need serious lawyers to go after this.
>> registering them for as long as possible
To clarify, you can register them for 100 years, not 10 years. Network Solutions offers the 100 year renewal.
While 100 years or even 10 isn't for everyone, I do still agree: register them for as long as feasible.
This is why -generally- there is a period after the domain expires in which it is locked and cannot be purchased by anyone other than the previous owner. Just in case someone tries to squat. There are a few registrars that do this. I've seen it (squatting) happen more to small businesses, because even if their site it showing the landing page they might not notice it until a month later and by then it has been released and squatted. Bigger companies with lots of traffic would usually get a notice from a customer or internal employee that the site is down. This is my experience at least.
Probably late to this party but at my employer we have a contract with MarkMonitor under which domains are auto-renewed and then we are invoiced for the cost.
The advantage of this is that domain renewals are not broken by payment problems. Payment problems produce a failure state of "domain got renewed, the vendor is harassing us about an invoice"--which is much preferred to "domain did NOT get renewed, our site is down until we update our credit card." It also helps mitigate the "crucial employee departed" problem, since MarkMonitor won't just give up on an unpaid invoice... they will escalate if they don't get paid.
Of course as a matter of practice we always have multiple people with access to the dashboard, but if all those people got kidnapped at once, the domains would still renew.
I recognize that MarkMonitor is more expensive than Namecheap or GoDaddy or whoever, but I also bet that a lot of successful companies that are super reliant on their domains have never called for pricing. I don't work for a mega-corp; we're a nonprofit. And who knows, maybe other registrars may be willing to offer a similar payment structure.
(I'm not affiliated with MM in any way--just a happy customer.)
I had a related issue where a previous registrar — who we had moved away from months before — managed to accidentally "claw back" and disable our domain due to a misconfigured billing script. The fragility of the whole ecosystem is pretty scary.
282 comments
[ 1.5 ms ] story [ 150 ms ] thread> Who uses [any technology/infrastructure choice] on production?!
A lot of people. That's always the answer.
1: https://thehackerblog.com/the-io-error-taking-control-of-all...
Yeah, it may cost more, but this story just illustrates that you're staking your entire company on a $15/yr service, and you get what you pay for.
Even if you want to run your marketing/landing page/etc off a .io or other fancy tld, run your production stuff off a .com or country-level equivalent so your customers aren't left in the lurch if something like this happens.
- edit - punctuation
It is a much harder balancing act for a startup, finding a domain register who is reputable and responsive but not "overly" expensive. Even if your entire business relies on it, $1K+/year just may not be in the cards even knowing the risks.
I haven't used it but Google Domains claims they have telephone support and are reasonably priced. Might be worth people checking out, their Gsuite support has been pretty good.
Haven't needed to call them in the past 18 mos. or so, however, and these things can change.
I have gripes about aspects of gsuite itself, in particular how they've removed a few features that I used from the $5/user/mo tier. Had to move to $10 tier to keep email content filtering (ability to use regex to prevent accidental SSN or CC inclusion). The filtering setup is much easier to use now, but the old system worked well enough.
I've been a reseller for most of the decade and I can honestly say in all the times we've called, we have never had a single issue corrected by support. We usually end up having to find workarounds for bugs. The last time was an autosuspension our panel(s - there are two versions now) would not let us un-suspend the client. This left him without email for a week, while support would only respond during the early AM hours, and would repeatedly ask us to prove identity, even though we were registered resellers with admin panel access.
In all the years of working with different vendors, I honestly cannot think of a single one with a 0% success rate in their support.
My favorite O365 support story is where first level support dicked around so long with a missing mailbox that by the time they escalated the ticket, their backup had been overwritten. Luckily it was a user’s archive mailbox and we still had their source PSTs, so not a lot was lost.
I haven't had too much experience with their service support, but their app support seemed decent. I was having an issue with S/MIME signatures not being parsed properly on Outlook iOS. Support chat seemed competent and knew what was happening (no support for S/MIME signatures yet).
My go-to example of their customer service philosophy: A number of years ago, there was some problem in the electric grid that resulted in power outages over most of the Eastern US and Canada. In response to just their customer service being unavailable for 1 hr during the much longer outage (their production services were unaffected), they offered me a partial refund without me even knowing what had happened. I didn't take it.
Usual disclaimer: Not affiliated with them in any way other than as a satisfied customer for more than a decade.
You can still mitigate the risk though. Use multiple domains in all marketing materials from different tlds and different registrars. Use regional domains. Have alternative ways to communicate with your customers. It's all very basic stuff. Merely thinking about it gets you far. Most people don't even think about it and blindly rely on centralized services: domain registrars, dns providers, cdn providers, single hosting/cloud provider, etc.
Forward mycompanyname@gmail.com to info@mycompanyname.com and give it out in the emergency support info for support contracts Add it to your status page as needed, (which should be running on someone else's service or mycompanynamestaus.com).
Customers that really need your service, like the ones who pay, will check the status page and can update the endpoint as needed.
Make sure your sip lines don't point to mycompanyname.com.
If you publish a client side app, use 2 domain names as endpoints, mycompanyname.com and mycompanyname.io. Have the app or service check for and fail over if one doesn't work.
Make sure paging and technician notification is handled by a system that won't be affected by this. (nothing more amazing then getting 200 pages AFTER you've spent 2 days recovering a total failure of a system. You just want to go to sleep but you have to wait for the email queue to drain since you can't turn your pager off.)
Either way, use 2 domain names, and set them to expire at 6 MO intervals. Buy the domain for 2 years (or more) and renew every year so you always have 1-2 year lead time to sort out issues.
The list above would probably cost about $200/year and a few extra hours but it keeps you from getting backed into a corner. Everything else in our infrastructures has fail overs, and limited blast radius for failures.
We tend to us domain registration as a single point of failure and one one even things about it.
Airbnb has .com, .de, .co.uk, etc.
If they have some disaster with one, they just lose 1 country instead of the planet.
If there's a problem with .de, some users will be intelligent enough to try .com
And if you lose a ccTLD in a major country, you can focus your legal efforts in one legal jurisdiction.
Also, if the call customer service and you validate it, then they are only offline for a couple hours not days. Also, you should have a status page or twitter or something out of band that you tell people about the day they sign up. You can update there.
EVERY production service with customers needs an out of band way to update. And you have to build and announce that before you need it.
https://fightthefuture.org/article/the-new-era-of-corporate-...
The Internet isn't as free as people think it is. Things still need to be hosts and those providers could simply chose to stop hosting you.
Don't depend critically on companies risking political alignment with you, if what you do has any significant risk due to political association.
>A store cannot have blacks only and whites only bathrooms or water fountains.
It's amazing how someone can unironically defend the plight of a website that they admit produces "highly controversial hate speech" by comparing it indirectly to none other than racial segregation.
Frankly though, this is blown way out of proportion. Plenty of people will do business with them. The Daily Stormer is just the ultimate martyr. They have mastered the art of doing one thing and saying another. They absolutely incite violence and hate, but they're careful to also simultaneously distance themselves from it and play the victim when they wonder why no big company really wants to do business with them. There's a reason why 4chan never really had this issue despite similarly controversial content and the answer isn't just "politics."
No, in my opinion, the real problem is that The Daily Stormer as an entity, is an Asshole. And just like they would in real life, they're being kicked out. Nobody has really made a compelling case otherwise, everyone seems more concerned that big companies actually made a non-nuetral decision (something I wish they'd do more often in the era of fake news and large scale abuse, an era they facilitated...)
I see no slippery slope here. There's a balance to be had.
DO NOT USE web.com or register.com, they're fucking terrible.
In the last 5-10 years the issues started growing. Finally, I hit a wall and transferred everything off their service.
I now get spam emails of them trying to trick me into switching my domains back. The vitriol their helpdesk people receive is about as shitty as I get. Maybe they don't deserve it in their role, but hopefully the angry emails will get them to find a better job asap.
In this case technically they did run from a country-level equivalent, .io is a ccTLD.
https://en.wikipedia.org/wiki/.io
Granted no one ever appears to use .io for it's original purpose as the ccTLD for the British Indian Ocean Territory...
ccTLD management is delegated to a company in that nation usually. Unfortunately not all of them are equally well managed - I wouldn't consider gTLDs _exactly_ comparable to ccTLDs in this regard. ccTLDs get to differ in pretty key ways from gTLDs, including deciding their own dispute resolution processes (gTLDs all use the UDRP).
Complicated to apply to a website, but it gives some thoughts.
Is this a common problem in .io?
Who's a good registrar that will contact me first if they get an abuse report?
If the user is going to be able to design + style the pages any way they want, having something in the URL to indicate it's still user content is important.
https://zeit.co/now
> How is abuse reported? Can I be made aware of reports of abuse before the domain is suspended?
And support responded:
> Abuse reports can be submitted to our Abuse Team via email using registrar-abuse@google.com where reports are analyzed and investigated further. Warnings are not given out, however, unless the reporter also reached out to the registrant of the domain in question. If a domain has been found to be in violation of our terms of service, the necessary actions are taken.
I contacted Google as soon as I noticed and hey have been alright to deal with. Fortunately I am a Gsuite customer. I had to pay a fee to renew and another fee to restore, which was over $100. It’s been in “restoration” mode, ie offline, for days now and I am unable to even touch the DNS records until it’s back. I’ve already lost a week of uptime with zero recourse. FWIW I use a .co domain, and my site was throwing (for 24hrs or so) a splash page saying the domain was suspended.
Eagerly awaiting for it to come back but I’m totally in the dark as to timing.
I just transferred some .com domains to Google from Name.com, I hope these expiry problems are limited to non- .com TLDs...
(Google Domains gives you free whois privacy, but they use that contact for notifications)
It really was a massive headache. I have no idea how long it would have taken me to notice (site is my authoritative presence on the web, but is a static personal page — no marketing or sales) and my email is a light trickle of messages by design: bills, bank statements, close personal relationships. Fortunately my brother told me his wedding invite bounced a day after going offline so I could follow up relatively quickly.
I filed a ticket with Google and got first line support within an hour. They confirmed it was still in Googles system. Then I was assigned a Senior Specialist who called me on Monday to confirm ownership. It is now Wednesday and my DNS records are still inaccessible.
If I were you I would definitely set an independent annual reminder to check your domain status, just in case.
Your not the only person whose had issues recently with Namecheap not sending renewal emails.
I've since added a monthly calendar reminder to log in to all registrars and verify all services are still enabled and correctly configured with plenty of time left.
If you have autorenew set, it first tries to draw against any existing positive balance you have directly with Namecheap. If/when that doesn't work, it then next tries your preferred payment method (e.g. your registered and designated preferred credit card).
I was told if I found a way to clear my couple of buck balance with Namecheap, I'd no longer get the warning email. The first attempt would be against my credit card, which would work, and I'd just get one success email (after preceding "upcoming" emails and all that).
I don't know whether this is correct. It's what I was told by support over chat, IIRC.
About a day before they're completely unavailable for renewal, I'll also get an email from CloudFlare saying the nameservers aren't pointing to CF anymore (I use CF for active and parked domains.)
That is standard behaviour for a domain-registrar, when a domain expires. When a domain expires the previous owner can re-register it during the grace period, after that for an extra fee it can be renewed in the redemption-period.
Finally just before a domain is available for re-registration by an unrelated party it will land in the pending-delete state.
Registrar: Who you registered the domain with
Registry: The company that owns the tld
Still domains are so cheap and these horror stories are so common that I realize this can happen with any registrar. There isn't enough publicity over issues like this for people to leave en-mass, so financially I can see this happening. I know one small registrar company and it's like 10 people and they write everything in Perl and run everything in Docker.
Fun thing about name.com. I suggested it to my girlfriend and it turns out they don't require e-mail validation. She mis-typed her e-mail address when she registered, and now she can't get into her account. Forgot password doesn't work because it tries to e-mail an address that doesn't exist. She tried to contact them several times but I don't think the support staff understood the situation.
There are lots of places where we may want redundancy to redund at us.
The registrar may see it as an opportunity to sell you another year of service but it is not their job.
There are no features or perks that I know of that compelled me to choose one registrar over the other. It was just a random act.
still, some blame falls in their shoulders, cutting it so close.
anyway: use mark monitor. don’t know if they do .io though.
> I knew our domain should be renewed about these dates, and we were already billed for this renewal.
Edit: If you are going to downvote, state why. Namecheap is a good service for a good price and supports Internet freedom. When even GoDaddy was supporting SOPA Namecheap took a stand against SOPA.
Screwed up the glue on the main domain in use for email, and after a week they still hadn’t resolved it. I fixed it by moving elsewhere.
Edit: the lesson I learned from this was - don’t use a bargain basement company for one of your company’s most important assets.
I opened multiple support tickets with them, and each time the issue would re-appear in 1-3 months. Went on for probably a year or so and I was just about to move to a different DNS provider when it stopped happening.
I bypassed NameCheap, because I knew they weren't the ones actually maintaining the records (registrars are just middle-men.) Using the DNS contact in the SOA, I got a response within 12 hours, and it was fully resolved within 24 hours (minus propagation.)
CentralNic contacted NameCheap, as did I, and they got their system fixed within the week.
--Edit--
CentralNic, not Nic. The roots were to nic.xyz.
I was going to Virginia anyway, so I physically showed up at Verisign (I wanted to bring a baseball bat), and explained it to the lady at the front desk. She came back with an engineer who fixed it in 5 minutes.
As a side note, had to do something similar with Garmin. They kept sending me GPS units with horizontal LCD polarization, when vertical is the standard for sun glasses. Showed up and told the clerk to put on my sunglasses and turn her head sideways to her LCD monitor. "Oh yeah, I see". She fetched an engineer, and 1 week later had a GPS with correct polarization.
Sometimes it takes a physical presence; baseball bat optional.
NetworkSolutions.com
> so I physically showed up at Verisign (I wanted to bring a baseball bat)
Did you think to write a simple postal letter to them (say a VP or the CEO) rather than get angry enough to show up with a bat? Or send Fedex? Sure you shouldn't have to do that but from a practical angle it may have paid to do that.
So you'd buy one or turn it on after uncrating it in a foreign country, and it'd literally spend ten or fifteen minutes calibrating, figuring out what the time is, what satellites are on what frequencies and which are above the horizon before it could at last discern your position. This was amazing if you genuinely didn't know where you were e.g. "Hmm, a desert". But you'd never have used one to go shopping - it took far too long.
Today your phone has a GPS with lots of radios (so it can listen to every satellite at the same time) it always knows the rough time,and it uses the Internet to get public shared data rather than wait to receive it slowly from GPS.
Whois is public and has always been as required by ICANN. If you don't understand how things work then be fair and don't blame what you think is the obvious cause or reason. There are valid reasons for whois being public and all registrars have this in their agreement and it is widely known.
https://gigaom.com/2014/06/30/the-dark-side-of-io-how-the-u-...
The UK government's view of the Chagossians at the time they gave the island to the USA for a military base was apalling:
“Unfortunately along with the birds go some few Tarzans or Man Fridays whose origins are obscure and who are hopefully being wished on to Mauritius.”
(We also use Dynadot [good], Hexonet [good], Uniregistry [... okay].)
While Google's registrar seems ok right now, Google's support is nonexistent when things go wrong. Literally every bit of their support is outsourced to 3rd-party companies that provide no path of escalation.
Even the really bad registrars (and there are a ton) usually have some direct support (or resell off enom, which will extort your money for the privilege of bailing you out).
If you have a domain registrar with a good support, account the premium you pay as such: a premium for an insurance when things go bad.
And yeah, you need to have a lot of faith to use .io or other new TLDs which are serviced by new companies.
Ive been recommending my friends to do the entire thing through Dreamhost including a WP install.
I personally am more technical, and have my domain name from 7 years ago on godaddy. Any suggestions on where I should use? How about my incompetent friends?
I'm curios so I went to check.
They say that the "DNS PRO" offer has 5 million queries/month. Is that a lot? Do they enforce the limit? That's 7000/requests/hour (or 115/minute or 2/second). That's not PRO in my books.
First of all, 5 million DNS requests sounds like very little. It probably isn't due to caching, but it's hard for me to judge what I need/whether that's enough.
Second, what happens when someone who doesn't like me decides to make 5 million DNS requests? 5 million packets sounds like something a decent connection might be able to fire out in a few seconds. If I pick their highest plan, will a person that has a grudge and a fast link capable of IP spoofing cost me $2/second (theoretically $5M/month, although I'm sure they'd show some mercy at that point)?
Build a business on a domain -> the name increase by XX% -> you’re screwed and must pay.
.sexy is about 60-100$ per year. If you've build a business on it, paying double the amount should not hurt.
For me the most important thing about this new gTLDs is more about reputation of the gTLD registry. What if these go out of service? I'm pretty sure that there exist a protocol for that case, but I'm also sure that domains in a less popular new gTLD space might get far less protection from ICANN than any non-sponsored gTLD.
I feel the issue is the lack of transparency and control. Who is to say some registrar won't start charging people per visit or % revenue in the future?
Stick with tried and true domains - ideally .com, but your country's ccTLD is another good choice.
.io as used in this example was a ccTLD, and this issue was directly caused by its mismanagement.
Times are mature for the equivalent of Letsencrypt for registering domains, something like Letsregistrar. We need to have this inefficient industry wiped away since it's really too much manual and too much in the way.
If somebody wants to found a noprofit to create a free registrar, I'm 100% in.
I had a similar experience with an Austrian registrar a few years ago. Must be a regional thing, since Austria is Germany's Canada.
United Domains rely on manual things very for a large part of domain related service processes which are "uncommon" for a private or small domain owner.
> If somebody wants to found a noprofit to create a free registrar, I'm 100% in.
For the German market I remember the good old times with InternetX before they were bought by United Internet. Had some good talks with their tech support back then.
A "free" registrar is maybe not the right solution. The key is "care" for your domain. Take your example of "letsencrypt". They exist because they automate everything. They don't "care" if your certificate causes troubles, they'd just fix their API. With domain registrars the story is different: You need a good support to prevent fraud, you need a good contact to registries if something goes wrong. Key learning here is: In 99% of the cases with domains, everything is fine. But if you find yourself in the 1% where trouble occurs, you need immediate support of competent people. Not sure if this is a case for a "community" or "free" registrar. More a business case for MarkMonitor without the Brand Protection: Simply a domain registrar who cares.
https://faq.nearlyfreespeech.net/section/domainregistration/...
Took about a week for Lunarpages to straighten out.
(BTW, the spam calls started immediately after Lunarpages fixed the problem. It's a great thing that the EU finally twisted ICANN's arm over this issue.)
These were very important domains. Without them, this $1 billion+ company immediately lost all of its ability to generate revenue. It was quite shocking.
The problem was discovered when users started getting the registrar’s landing pages rather than the company website pages. It was fixed relatively quickly once identified but do to DNS propagation took about 48 hours for complete resolution. During the window unrecoverable revenue well into the hundreds of thousands was lost.
It seems to me that a domain renewal is always a risk, even with a highly reliable registrar. A good defense is to limit the renewals for important domains by registering them for as long as possible (10 years). Even then you have a weak spot because your credit card will be expired by then so you should back that up with a calendar reminder a few months prior to renewal to make sure everything is set.
That said, with Gandi, you can just set it to auto-renew, which works pretty well.
This is an interesting take. I prefer the opposite approach: choose the shortest possible registration window (1 year), and have a very clearly defined, properly-documented renewal process that multiple people at the company understand. It's unlikely that all of those people leave the company in a 1-year window, so the knowledge gets passed on reliably.
If a renewal happens only once every 10 years, then it seems very likely that the person responsible for it has moved on, knowledge around the process is lost, and at best the documentation is very out-of-date (but more likely it's missing).
My process is to have a shared calendar for these high-risk renewals. Top company officers should be on this calendar (CEO, CTO, and some engineering VPs). The calendar contains recurring events for domain and SSL cert renewals. These calendar events are set up for about 1-month before the actual renewal, and fire reminder emails at several intervals beforehand (in case people are away or on PTO).
I maintained that having to remember to renew a cert every September was more likely to stick with someone than 18 months or two years. It also keeps your blacklist smaller because dead ones age off faster.
I don’t recall how it ended up but we added automated reminders every 30 days starting three months before expiry.
I do try to maintain a margin of at least 3 years on important personal and business domains, though.
Less than 37 months left = immediate attention required.
To have a process be remembered, make it monthly or quarterly.
Has the advantage that a failure might not be so disastrous either.
Also, get a registrar with an API and use a script to figure out how long a domain is valid. Alarm through your monitoring system when you hit the too close for comfort time frame.
You can scrape whois as well but that seems fragile.
Even as a small company we have a number of regular infrastructure reviews. Most of the time we just go through the review, find nothing has changed unexpectedly and no new ideas need bringing to the table, we sign off to say all looks well, and the prices takes very little time. Some of this is automated: scripts collate and report information for signoff and we humans verify the result and take actions as needed (in some cases the action needed is to update the script(s)). This may seem wasteful, but a couple of people spending a couple of hours total per month on such checks can save some nasty surprises in future.
Domain status checks is one of the things that gets reviewed.
This is vastly more powerful than you need to simply call a shell script which generates SMTP email to your noc@companyname.com address, but can serve the purpose:
https://en.wikipedia.org/wiki/JobScheduler
You can use this for all sorts of things like maintenance notifications, automated emails to a facilities group on N schedule to change air conditioning filters, whatever needs to occur on a specific recurring time schedule.
The same rule applies to any email address that you use to purchase and renew domains and other critical services. If renewal emails are being sent to someone who doesn't work there anymore, something is very wrong.
Registering domains for only a year at a time will negatively impact your email reputation.
It is like having replacement toothpaste ready for your bathroom. It is such a nuisance to go out and buy it on the day it runs out, and more likely to have a day without if you do not keep replacements ready.
It would be hard to make the case for 2x, but 10x?
This feels like a solid way to do it.
The fact that you can doesn't give you a right to do so and in this case it is pretty clear that you would be acting maliciously.
I've seen such 'tricks' up close a couple of times and judges tend to take a very dim view of this kind of behavior.
Also, if payment isn’t received within 30 days you can expect to see the domain forwarded to a “for sale” page.
And given how fast the legal system moves especially across international borders, you will lose hundreds of millions in revenue before getting any kind of verdict, possibly even go bankrupt.
“It’s a nice domain you have here, be a shame if something happened to it” sounds cool in the movies, but in the real life it may be treated as extortion and land one in jail.
1. They do not need to pay you. You have zero chance of getting paid.
2. They can easily identify you as a suspect (even with foreign company or whatever) and the police can investigate further.
So you risk going to jail, with no upside.
Trust me, I know of a ex-cofounder in a previous who company who took off and disappeared with $175k from the company bank account, and despite our best efforts at getting justice or the money back, no one really gave a fuck, and there wasn’t much we could do unless we wanted to get into very expensive legal battles using money we didn’t have, against a person that was hard to get a hold of and with no guarantee of getting our money back, at least anytime soon (years). It was much more practical to just cut the losses and move on, making sure we could do everything to prevent it from happening again by someone else.
And the truth is this is how it is for a lot of things, the successful cases you hear of are really just a small percent of the crimes. Just don’t pick a fight with someone who has the money and determination to hunt you down to the bitter end. Most people eventually give up. Unless you’re killing people or running drugs, there’s a lot of criminal arbitrage you can get away with due to how slow and how apathetic the law is.
Though I sometimes do think about the price I would have to pay if there was a reckoning.
The Chickenshit Club (that is, federal prosecutors in the last ten years) means that big company management can get away with white collar crime, paying other peoples’ money to make charges go away.[1]
Workers or little people at big companies are still subject to prosecution for white collar crime. And apparently since criminal prosecutions are time consuming DOJ has decided to deprioritize them, so if you commit white collar crime for small dollar amounts you’re also likely to get away with it.
[1] http://www.simonandschuster.com/books/The-Chickenshit-Club/J... “The Chickenshit Club Why the Justice Department Fails to Prosecute Executives”
You're not making any sense. You started this entire thread by talking about how you'd hold this $billion+ company's domain ransom for tens of thousands of dollars per year, so your sad tale of woe about how you couldn't afford an attorney to chase down an embezzler is irrelevant.
While 100 years or even 10 isn't for everyone, I do still agree: register them for as long as feasible.
Funny thing about domain renewal is that it’s so inexpensive that it can fall through the cracks and not get on the calendar.
Could be useful to think of all the little deadlines that cause risk and use a single process.
The advantage of this is that domain renewals are not broken by payment problems. Payment problems produce a failure state of "domain got renewed, the vendor is harassing us about an invoice"--which is much preferred to "domain did NOT get renewed, our site is down until we update our credit card." It also helps mitigate the "crucial employee departed" problem, since MarkMonitor won't just give up on an unpaid invoice... they will escalate if they don't get paid.
Of course as a matter of practice we always have multiple people with access to the dashboard, but if all those people got kidnapped at once, the domains would still renew.
I recognize that MarkMonitor is more expensive than Namecheap or GoDaddy or whoever, but I also bet that a lot of successful companies that are super reliant on their domains have never called for pricing. I don't work for a mega-corp; we're a nonprofit. And who knows, maybe other registrars may be willing to offer a similar payment structure.
(I'm not affiliated with MM in any way--just a happy customer.)
Wrote it up on Medium @ https://medium.com/thisiscala/the-duct-tape-holding-the-inte...