Ask HN: I purchased a domain and now the registry wants to take it back

63 points by forty ↗ HN
I purchased a very nice .io domain 2 days ago and I received an email from my registar today saying there was a bug in the registry and that the domain should not have been available so they are going to cancel my registration.

Right now I own the domain. What can I do? Is it okay for registries to do this? Does it happen often?

Thanks!

75 comments

[ 12.8 ms ] story [ 702 ms ] thread
This is part and parcel of participating in the centralized domain name system.
Absolutely. I'm not screaming that's it's unfair or anything. The good things about centralized systems like this is that there are rules and laws. If the ICANN rule says the registry can do that in this case, then fine, I won't fight. But I would like to make sure it's really the case.
This is hardly a typical domain registration experience.

Would be truly unfortunate if a hypothetical decentralized alternative had a similar bug that let someone else register and already-owned domain, as that bug would likely invalidate the entire structure of the registration and bring the whole system down as people exploited the vulnerability to steal every possible domain in a decentralized manner. At least this centralized solution can fix it and adapt.

I think it would be a good use of blockchain to find a way to solve this centralized control. The prices for a domain border on extortion.
this is part and parcel of having the ICANN model with competition between for-profit registries. Jon Postel wouldn't have been so mean.
If they screwed up somehow, they're kind of obligated to fix it. Otherwise, they just stole somebody else's domain and let you register it.

I would be a little skeptical. Make sure that the email really is from your registrar. Also, it's likely that "do nothing" is your best course of action, in any case. If the email is legitimate, there's nothing you can do to stop them. If it's a scam of some kind, you avoid increasing your exposure to risk.

The thing I'm wondering is whether the registry is not trying to get the domain back for them (which would be possible given the domain).

I cannot find any trace of the domain on the internet, so at least I don't think it was used. I don't know if there is some kind of way back machine for domain name records / whois ?

2 Days ago management of .io registry was transfered from Afilias to Donuts (Due to an acquisition). It is likely that during that window you registered the domain and they are now cleaning up the issue. It may be your registrar took your registration and then when they went to actually process it the registry was down, so someone else got it during that period. It could be other things, however, the bottom line is that the domain was probably never yours and there is really not much to do here. It's bad timing and bad handling of a process on your registrars end.
At least right now I control the domain. I think the registry messed up as they allowed my registration, not the registar.

Thanks for the info on the migration, that could indeed explain this.

If you have control of it you _might_ actually be the one that nabbed it, and somebody else complained they couldn't manage it.

If this is the case, under no circumstance tell your registrar you're okay with losing it and dig your heels HARD.

Either way you should get a cert for it with the longest expiration you can ASAP while you control it ;)

I understand your sentiment here, but should the registry decide the domain is not theirs it will simply not be manageable from the registrar/buyer. All they do is update the management id to the new registrar and the registrant contact of the domain, no intervention is possible.

I can tell you I’ve seen legal orders transferring a domain from one registrant to another, if the order has the registry named to take action, the domain kind of just goes poof, sure it’s in your system but you can’t do anything against it.

> I can tell you I’ve seen legal orders transferring a domain from one registrant to another, if the order has the registry named to take action, the domain kind of just goes poof, sure it’s in your system but you can’t do anything against it.

Then maybe the original poster should demand such a legal order? I doubt there exists one now given it's only been a couple days.

In this context it was court orders, usually over an ownership dispute between corporations. The legal fees etc, make it unlikely to be worth the hassle.
Yeah I can totally see that. I guess in this case the OP could try to stand strong and refuse to go along without any sort of court order, but even in that case it's not like the OP can stop the registry from going through with the change. So really if the registry decides to do it anyway, then I guess the OP could try to pursue legal options. I guess maybe the domain would be worth it.
You technically do not own a domain, but you lease it them.

"ICANN's official policy is that domains are not property to be owned. Domain names are registered (rented) by payment of an annual registration fee."

.io (like all ccTLDs) is not governed by ICANN, fwiw.

But your point is valid that domains are essentially registered according to the terms of a probably-long and verbose agreement.

Domains should be NFT's
Nothing should be a NFT
Imagine what a train wreck that could be. You just know that some Fortune 500 is going to have someone steal their private keys proving domain ownership. Bankofamerica.com now belongs to a hacker in Tver, Russia?

Blockchains are a great idea but some problems are better solved by the brick-and-mortar legal system.

Yeah, then when someone loses or has stolen the keys to that wallet, the domain is forever gone.
Like how when someone steals your car it's just gone forever?

There still exists a legal system in which the NFT could potentially recovered. Yes it's harder with easy cross border theft, but that just means we need better global treaties.

Apples and oranges.

If your car is stolen, there's a potential for it to be physically found and returned.

If someone somehow finds the private key to steal an NFT, they could steal the NFT and then delete the private key for the new address that owns it. At that point, treaties don't matter. The ownership exchange is permanent until someone can derive the private key from the public key, which if someone did, then ALL NFTs could be stolen.

Sure but if they delete the private key then they don't own it anymore either. It would be like destroying the car. And yeah, if someone steals your car and destroys it, you can't have it back.

There's also an easy fix for this. Make the NFT include a smart contract that requires periodic "checkins" that require the private key, and if the checkin fails, ownership reverts the previous owner or another address specified in the smart contract.

Or attach a smart contract that requires registration with a third centralized party.

NFT technology can interplay with existing legal frameworks and protections with the right programming.

It can't, and never will. The more you build the central controls, like trademark enforcement, to the system, you might as well replace it with a central database and licensed registrars and thats what we have now.

The global DNS namespace is heavily controlled. I very much doubt that these funny namespaces will be anything other than a fad used in niche applications. Metamask supports .eth, fine, but you wont be pointing at your https server with it if you expect grandma to resolve it.

We have seen it before, many times. NewNet isnt a thing this decade. You cant invent arbitrary TLDs and expect the internet to use em.

Many have tried (they dont need to be NFT's, they just need a record mapping of name->NS IPs). Namecoin tried this. Handshake is trying this. ENS is trying this.

IMHO they will fail. You wont see decentralized name registration in the global DNS namespace. Too much abuse potential, too little flexibility with errors, trademarks, etc

> IMHO they will fail.

I agree with you there. The key problem is maintaining ownership of a valuable domain, not freeing domain ownership from ICANN or automating dispute mediation.

Putting domain ownership on a blockchain just makes it almost impossible to maintain ownership of the domain if someone steals your "crown jewel" certificates.

When existing tenants get to extract arbitrary rent to transfer their lease, it sure looks a lot like property ownership to me.
the entire existence of the .io registry and the people running it, presently making money from it are highly suspicious, it's supposed to be for the benefit and use of the people who lived in what's now called the "british indian ocean territory" in the general area of diego garcia.

this is a place from which the natives were evicted by force.

I somehow doubt they're getting any financial benefit from it.

https://en.wikipedia.org/wiki/.io

https://en.wikipedia.org/wiki/Chagossians

https://en.wikipedia.org/wiki/Diego_Garcia

as a reminder, ethos capital are the amazing people who tried to "buy" .org a while back

https://en.wikipedia.org/wiki/Ethos_Capital

If this doesn't fit the economics textbook definition of Rent Seeking, I don't know what does.

If the Chinese did this the press would write about the genocide in Diego Garcia etc....

The UN resolution (international norms???) and International Court of Justice (ICJ) is being violated by the UK and US:

https://www.reuters.com/article/us-britain-mauritius-un-idUS...

Perhaps it should be possible to condemn things like what happened to the Chagossians and what's presently ongoing with the Uyghur people simultaneously
Hang on a second: how is the US violating anything here? You’re roughly saying that the UK’s error transmits to the US because they lawfully leased land to the US that they consider theirs.

Of course the US is going to lobby to keep the base, and of course it’s horrific that thousands were forcefully removed to build it (and the US should compensate for that), but any interpretation where the US is in international error here due to Mauritian sovereignty considerations is plainly transparent in its purpose (particularly in a comment that references China off the bat).

That’s the UK’s problem. Notice the Mauritian prime minister in the very article you linked only discussed problems with the UK.

Do not register domains on some banana islands (IO is for Indian Ocean). With ".com" or national domain you would have a chance at court.
I've purchased domains from GoDaddy and they reclaimed them, claiming that they sold them to me in error and that they had already been purchased. This is for multiple domains, within minutes of their release by the way.
Say No to Daddy. Just never use NoDaddy. Especially when checking for domain availability. They will show your desired domain to other users later (as alternative domain they may like to purchase). Always check for WHOIS to see if the domain is registered. Privacy respected WHOIS tool -> https://freetools.dev/whois
I've had this happen during new TLD launches. I owned lap.top for about a day but so did a whole lot of people. I lost that race. You don't own a domain. You rent it and the registrar can take it back. They generally don't, outside of trademark issues, legal problems or race conditions but they can.
In my case I actually own and control the domain (I'm in the whois and my website shows up in the browser)
No, you rented it from the registrar. Nobody owns domains, one rents them for the temporary control over NS records. The registrar can take it away at their prerogative.
You mean the registry. If you are going to be pedantic, you should at least be precise ;)
(and I don't think renting is a much better term than owning when it comes to domain. I can sell the domains I registered, that's rarely the case for things you rent)
You lease it. (And yes, you can sell leases in physical analogues too.)
Tell them you will not be returning it and if they do take away your access you will pursuing legal action.

Do you think you could ever convince them by saying hey I saw this domain was available but came back 2 days later and it's not available, can you still get it for me? The answer is unequivocally no.

Know your right and defend them against overreach of private entities.

few days ago, i tried to purchase a domain on godaddy, I didn't buy it as I had to get approval from my manager so I left it in the cart and that time I was using my cellphone. Then after 3 days, I came back to godaddy through my PC and saw that the domain is now premium and they want amount close $3000 . I was kind of shocked. but then on my phone I noticed that item is still in my cart with the 20 dollar pricing, and I purchased, few days later godaddy came back and refund me the 20 dollar and took away the domain. One thing I learned is that never use a registrar search engine as they check domain with high search or interest and they immediately buy it before you.
Is this frontrunning?
Yes, and it's a well-known practice of scummy registrars like godaddy.
It is! Trading your own account in front of a client's order with knowledge of your client's order is, indeed, frontrunning!

However, given domains are not securities and domain registrars are not FINRA members or registered securities broker-dealers, I don't think this is "frontrunning" in the sense that you're used to hearing the word.

So who knows if it's even illegal, and even if it is, who knows what recourse anyone has about it, given how quasi-legal and international the ownership of domains is.

yes, it is. I was thinking taking them to consumer protection court, but I realized it is not worth my time.
Someone has to take one for the team..
Godaddy has been doing this since forever. They burned me with this practice circa 2005. Back then I searched for a domain, and the next day they registered it and wanted $20 more for it -- nothing close to $3000! It's funny, they put up a website at the domain with a message that it was "Parked helpfully for my convenience." Amazing to see that since they were allowed to get away with it then, they've since taken an abusive practice and turned it into extortion.
I can't believe godaddy is still doing this. It should be illegal.

In the future, use gandi.net or namecheap.com. They don't engage in such despicable practices.

It's hard toe believe people (professionals, at least) are still using GoDaddy. Their shenanigans are well-documented, so the only reason stories like these could keep showing up in places frequented by people who should know better would seem to be name recognition. GoDaddy is the McDonald's of domains. You shouldn't be surprised if you go to McDonald's and get McDonald's-tier service. Although on second thought, Jiffy Lube may be a more apt comparison: https://en.wikipedia.org/wiki/Jiffy_Lube#Controversy
Is this not front running?

McDonalds don't change the prices on the menu when they see you walk through the door looking particularly hungry.

(comment deleted)
Saw the title of this post and thought about how since godaddy has bought out uniregistry, they essentially took a few domains I had bought via uniregistry (a few .top domains I think) and transferred them to a different registrar fairly recently -domains24? or something.

I did not believe it at first, (thought the emails about paying someone else for my domains were a phishing scam) but I guess it did happen.

I have many godaddy=evil stories, the fact they don't enable letsencrypt / easy free ssl on their hosting / cpanel servers - it just makes them really shitty netizens on top of all the other shady things they have pulled over the years.

Anyone here familiar with the newly launched Ethereum Name Service (ENS)? All the registrations are handled on the blockchain. Would this error be possible on ENS?
ENS is purely a vanity service, like any other NFT.

ENS would not have this problem, however, you might as well write a name on a piece of paper and never show anyone. It is not the same thing.

ENS will never be resolvable via the global DNS namespace. Its like a parallel DNS namespace. I don't believe that any blockchain NS will ever marry with the global name resolution namespace. Handshake and Namecoin are alternatives too, and there was non-blockchain thing called NewNet that no longer exists.

Globally resolvable names need to have registration details, so when you register "cocacola", Coke can sue you for trademark infringement. They need to be revocable.

Appreciate the perspective on this. When you say "ENS will never be resolvable via the global DNS namespace", is that a technical limitation or something else? I'm curious so learning about how it works (or doesn't!), sounds like you have a lot of experience.
There is no reason technical that ENS could not run root .eth servers and have these in the global DNS namespace. It would be a centralized service with decentralized records.

I'm saying it wont happen because they wont let it. Its a closed club, and its a big deal when new TLDs get added. Johnny ethereum isn't allowed in.

Ah interesting hadn't realized it was a closed club. Heard it was some kind of delegate, DAO but that likely just means those with the money win right?
> There is no reason technical that ENS could not run root .eth servers and have these in the global DNS namespace.

Unfortunately though, .eth already collides with the reserved 3 letter country TLD made for Ethiopia.

> It would be a centralized service with decentralized records.

That is the best way to describe ENS. Your .eth domain is still sitting on a single TLD managed by so called 'trusted' centralised key holders.

> is that a technical limitation or something else?

Because it's a scam.

> Right now I own the domain.

No, you don't. Read the terms and conditions.

What do they say that OP overread, then?
I control the domain if you prefer.
Unfortunately if you do not fully own your own ICANN registrar, for example, like Facebook [1], then your domain remains in the hands of the registrar; it doesn't matter what your WHOIS states.

I've looked into this exact problem because I wanted to know, what it takes to fully and completely own your own domain. The best way is to apply for an ICANN registrar accreditation which entails these requirements [2]:

  - US$3,500 application fee, which is non-refundable regardless of whether the application is approved, denied, or withdrawn.
  - US$4,000 yearly accreditation fee due upon approval and each year thereafter.
  - $70,000 USD in liquid assets 
In the case of Facebook, they were able to receive an expedited approval since link [1] indicates that their company will not be buying nor selling any domains. It just exists for the sole purpose of owning the domain. Why did Facebook do this, you may ask?

Well, social engineering. An Njal.la hosted domain was successfully transferred to Namecheap (through no fault of Njal.la) through forged German Court records [3]. So now, no one can socially engineer the domain away from FB and I suspect the vast majority of these companies.

RIP. Looks like I won't be owning my own domain anytime soon.

[1] https://registrarsec.com/

[2] https://www.icann.org/resources/pages/financials-55-2012-02-...

[3] https://www.vice.com/en/article/qj8833/dark-fail-fake-court-...

Facebook owns at least 2 ICANN registrars: "RegistrarSec" and "RegistrarSafe".

Both have the save website and mailing address but there are 2 independent ICANN accreditations.

Likely, it is designed to prevent another sort of attack.

UPDATE: that's it, the registry did take the domain back.

As I expected, they took domain for themselves... Whois says:

This name is reserved by the Registry in accordance with ICANN Policy. >>> Last update of WHOIS database: 2021-11-20T13:42:39Z <<<

:(

Nobody owns domain names derived from registries, they are merely leased and subject to recapture from either the registry at will, or the registrar with cause.

Trademarking the domain name gives you vastly better protection, since even if the registrar/registry takes it back, nobody else can use it, so the incentive for those entities to change their mind on leasing it to you is reduced.