Tell HN: Godaddy canceled my domain, gave me 2h to respond, then charged €150
Today Proton (my mail provider of choice) surprised me with a warning that there were problems with the setup of my domain. A quick research revealed that godaddy had cancelled my domain. It showed up in the Redemption Grace Period. This status code indicates that godaddy has asked the registry to delete my domain. After 30 calendar days + 5 days following the end of the redemption period, my domain is purged from the registry database and becomes available for registration.
I immediately contacted the godaddy support hotline. Mainly because of my mail account and the services connected to it. They confirmed the termination. The reason given was that I had failed to respond to an e-mail - that was sent yesterday on a Sunday(!) at 9:51 PM. Then at 0 o'clock my domain was terminated. So I had a breathtaking 2 hours to respond. Which is especially fun because I go to bed at 10pm. :-D
To make matters worse, the mail ended up in the spam folder because Godaddy's reputation seems to be bad and was titled: "Update your privacy settings and personal information.". Even under normal circumstances, I would have ignored this email. How should someone suspect that in a few minutes from now on the own domain is going to be killed.
If I understood the service employee correctly, this mail means that something was wrong with my payment data. And indeed, there was an old credit card on file. However, a PayPal address was also stored there, which still worked. Via this address, I was later even debited the penalty fees that I supposedly had to pay.
After some back and forth with service, I was then given an ultimatum: Either I pay €150 fine, allegedly required by my government to be charged for domains that enter the grace period. Or I lose the domain.
The latter didn't sound very inviting, as I like my domain and also don't feel like switching all accounts to another domain/provider. So I paid the fee.
Godaddy confirmed afterwards that there were no further emails or announcements. The service employee even confirmed by phone that apart from the mail and the subsequent generous transition period of 2 hours, there would have been no further information.
TL:DR If you have a domain with Godaddy, just make sure that the payment information is correct. Otherwise, it might get expensive.
326 comments
[ 5.2 ms ] story [ 310 ms ] threadThere may be a mandatory waiting period.
And finally, there's DNS caches; if you know a migration is upcoming, it's worthwhile setting the TTL to a lower amount.
For this poster, I don't think they can migrate to a different registrar while their domain is in the 'redemption' period, and they may not be able to migrate within some time period (30 days?) of renewal, either.
Depending on what you need, https://dnsimple.com seems to have a good reputation, I also see a bunch of people spreading their risk by putting DNS on one big (cloud) provider and all other services on other providers. This means that while Cloudflare does DNS registration now, you might still want to use Cloudflare for your DNS zone and something else for registration. That said, Cloudflare still has a good reputation (for paying customers!).
The idea behind that is the (generally) low fee of DNS registration is easy to monitor/check and maintain, so if all else fails you at least retain your domain name as an identity which is generally the foundation to everything else. While it might suck to lose the contents of a mailbox or a website, if you still retain the DNS registration you can always re-create.
Other service providers that don't structurally screw your DNS over (re-including the ones I mentioned):
Those are the ones I have used (and most of them currently use) myself, but there are others that do domain registration and seem to come recommended by others: Most of them I do have some personal experience with (for what it's worth... we're just strangers on the internet here after all), but I never really had to do any long-term (10+ years) DNS registration with them.If you are in an ITAR area, conflict region or trade sanctioned region, none of this will help tho.
I mean you can never predict these things fully, so be ready to move domain registrars or even domain names if you ever need to. Another example, UK residents or businesses that had a .eu domain name were no longer allowed to have it post-brexit.
EDIT: I misread it, it's most of their workforce.
If it's ukrainian company it doesn't mean their service is any good
I can see how it'd start adding up with too many domains, but at my level the trust is more comfortable.
I don't know if they get a lot of chargebacks against them, or if it was just a fluke, but I haven't tried again since.
https://www.cloudflare.com/products/registrar/
(But then again, I ended up getting a .dev domain at a different registrar, so I guess I'm screwed either way)
> Auto-renews every year, lots of reminders.
That's pretty standard with any half-decent registrar.
It should be noted that GD had a kiting operation, but then paused it, after which the original owner publicly decried the practice very publicly. The company has since been sold and I would wager that the opportunity was too profitable to ignore.
Source: I built the analytics system for parked domains that was used for pricing early GD domain auctions as well as the initial integration with Adsense for domains.
Only downside is their new registrar doesn't support many new-TLDs, so it's a bit of a hybrid setup for some domains.
Except with CloudFlare, she didn’t notice it was lapsed until they modified her DNS. The domain was in REGISTRAR HOLD state. We couldn’t do anything via the UI. Reaching out to CF support had a misfire, because the first support rep thought it was about CDN not Registrar. A couple of polite emails (and like 60 days) (she did not make it a priority to resolve) later, the domain was restored. I was kind of surprised because I thought some kind of ICANN hammer drops right about 60 days and forces an auction.
Anyway, my highest accolades for registrar go to CloudFlare.
> Anyway, my highest accolades for registrar go to CloudFlare.
Er. Is that really the conclusion here? Did you mean to mention that they sent her a warning email in advance and she just missed it? Because the way you've written it makes it sound like CF still screwed up but made it possible to eventually recover.
The transfer was quite smooth. It was easy to turn off the cloudflare "protection" (my sites don't need it (yet?) and I didn't want to have to think about it, the threat model, tls stuff, etc). And so far no problems.
You're getting the benefit that AWS isn't just a registrar they're... AWS. Their processes around accounts and support and such are all designed around much higher value and higher impact accounts (many entire businesses would go away if all their compute + storage were suspended). Low margin domain registrations isn't really their business, so they're not trying to cut security/support to make it viable. From $4k/yr accounts to $450k/yr accounts, I've never had an issue getting in touch with support and having someone empowered to resolve my issues.
That said, I'm assuming from "enterprise-y" that this isn't anything that would be remotely near violating their AUP. I haven't heard of much real enforcement outside of people who were very blatantly malicious actors, but I'm sure if I don't mention it someone will come along and point out one of the newsworthy account suspensions that have happened.
It's everything you need from a registrar & DNS provider with nothing you don't: a thoughtful interface that is responsive even with a large volume of domains, no up-sells, first-class API capabilities (which is great for volume/bulk operations), and the pricing is solid/reasonably low-margin with no gimmicks, no front-running.
Only thing to note is that, at least last I looked, Amazon isn't actually the registrar -- it's some kind of 'affiliate' setup with a 3rd party, but AFAICT it's essentially Amazon.
As soon as possible though, everything is going to Cloudflare. It simplifies my life.
GoDaddy did nothing to help. I've posted about this before, and like to bring it up everytime people mention bad GoDaddy customer service.
https://news.ycombinator.com/item?id=24507411
It's long ago history now, but a good lesson learned.
Totally unprofessional and a complete joke. Will never use them on a production system again. Always angry if they are mentioned here like they are a legitimate choice...
Folk ask why I colo. And the why is because it's my hardware. If my host is to touch my kit without my permission or a subpoena they'll get slapped with a solicitor.
But to the extent US law applies and the other required details of the DMCA safe harbor are attended to, I do think the DMCA prevents the service provider from monetary liability in this scenario. Of course, criticizing them for acting rashly remains 100% fair game.
(As to the question of whether US law applies: one example you were discussing, Hetzner, is based in Germany and not the US. But I can imagine circumstances where US law might sometimes apply to them anyway, and/or Germany might have similar laws. I'm not an expert on the international angle here, and I'm not a lawyer in any case.)
I did not mention the former employer or any of their projects/clients by their names and did not include any images of those projects that were protected by any copyright that they held. It was screenshots of the website functionality after I had removed all original styling and revamped it myself (on my own time on my own machine using only publicly available HTML/CSS) from the ground up to anonymize it. All branding and images were removed and replaced. These revamps were never publicly released and were only used to create screenshots to display their functionality. They claimed copyright ownership of the images that I took, on my own computer, that had zero resemblance to their own software except for the workflows that they had. These were all public facing sites and there was no internal/proprietary workflow information being shown. The work being displayed was 100% my own creation during my employment, and I was not claiming any credit for work that wasn't done by me.
I did not bother disputing the fraudulent DMCA claim because my former employer that did it was extremely litigious and loved lawsuits and loved making them as long and expensive as possible to punish the people they were trying to bully into submission. The owner would frequently boast in the (open concept) office about all his lawsuits and how he was forcing people to comply to his demands with the threat of ruining them financially with lawsuits.
It did have an impact on my ability to find new employment, but I found employment anyway. I just made a PDF version of my website (well laid out) and send that with my cover letter.
Your case sounds like one of your IPs got blocked in their firewall, which can happen if you use bittorrent or receive a DMCA strike. But then other IPs associated with the domain would still work fine.
That said, yes, their abuse team is rather trigger happy. I've had disagreements with them, too. They can be VERY German ;) But in general, calling them on the phone can fix these cases within minutes.
i think giving 2 days before turning anything off would be sensible. 1 day would still be ok. but turning it off immediately without even giving a chance to reply is not acceptable. especially since anyone can send a trademark complaint without providing any evidence. so, if you want to do some domain sniping, look for businesses hosted on hetzner and watch them go down...
Generally, I would recommend not hosting APIs on the primary domain for exactly that reason - it's too easy to be hit with some sort of complaint and have that domain cut off (DMCA, preliminary injunction, SPAM complaint against your mail server, shitty host, ...).
exactly what happened. so not even the slightest reason for an immediate reaction
> recommend not hosting APIs
yes! we learned the hard way :)
Did they start sending NXFAIL for DNS requests for that domain? That's what "turning off the domain" means. But in that case, API access via IP would continue to work without issues.
Or did they start blocking traffic to the IP that you had associated with the domain? In that case, the domain would continue to work, you just need to switch the IP.
Based on your information so far, I wouldn't know what to do to repair it. I'm not surprised that others were unable to help, too.
That said, with Hetzner I've had the trademark complaints as well, but they've always given us 24h, and were always okay with us saying that our usage (e.g. showing a logo of a shop next to their review) was fair use.
I have an email from them forwarded by a third party reporting phishing on a CF-DNS-hosted site where Cloudflare denied they had any responsibility whatsoever as “they host no content”.
Of course, it requires a subpoena to discover who DOES host the content, as they are the only ones who know.
They do it for lots of right reasons, I'm sure, but they also do it based on simple claims. While I thought that's a great way to hurt any site if such a claim is all it takes, I haven't experimented with it, so I don't know if you have to make it a legalese thing, or if they do some automated checks. But once you get a site flagged, it'll probably stay so, unless they have some very good connections to CF.
They will forward any complaints also to the hosting company of the origin, but if you're not in luck, the site will be hosted at a questionable company that has no trouble hosting phishing sites. Hetzner for example did quickly react and requested comments from us under threat of shutting down the server. They were happy with our response and their own checks however.
Still, I agree that they should have a way of de-anonymizing who is behind a site, their business is in protecting against technical attacks, not protecting against the law.
By contrast, this is the email that a MAANG company received recently regarding a site being reported for phishing one of their login sites:
https://ibb.co/kcsQN0w
So I guess they are somewhat arbitrary in their phishing actions.
Sure you can do that for some internal/private service. But how can you do that when you have a public user base who expects a service at foobar.com which has DNS issues?
Previous experience: I already had one of our videos suspended for "copyright violation" (this was on media hosting site) despite the fact that I fucken made this video myself. Some company had stolen it claimed as their own and submitted hash. Since mine has the same hash ( duh! ) access to my video was blocked resulting to download complaints from customers who purchased it. I sent numerous complaints with the results that amounted to roughly "fuck you". I've given up but suddenly out of blue after 2 month I received the apology from some C-level of theirs telling me that they were in error and access to my video was restored.
It's for this reason that people are losing massive amounts of trust in them, yet they seem to be the only viable option for most.
The concept of grace almost doesn't exist in business, and the idea that customers are valuable is all lipservice.
So I guess what I really need to understand is whether this is a typical response or if there is more to the story that I don't understand/see.
If you are no longer using Hetzner, which other vendor(s) are you using?
I was not aware of their abuse policy when I was forced to move my services from another unprofessional provider. I had settled on Hetzner. I'm glad you said something.
Over the last few days I've reached out to them for further clarification on their policies, and over those (multiple) communications there were enough professional red flags that its become clear they can't be considered for any future hosting of production or professional services.
Initially, I was stonewalled with: --- Thank you for reaching out to us directly to clarify this matter.
In accordance with German law, we are not permitted to disclose internal information to third parties or to review or verify the content of any potential abuse reports. As a matter of fact, we neither can confirm nor deny what is described in that thread. We want to assure you that our abuse team handles cases with care and sets reasonable deadlines and measures based on the gravity of the allegation.
---
I asked about what processes and controls they have in place to prevent fraud, and the written policies and timetables, and they didn't appear to understand English well enough to answer, they thought I was talking about other common forms of abuse rather than fraud.
As a customer, they were unable to provide me with any kind of written policy, adversarial response schedule, or other controls commonly needed to mitigate fraud.
No details or specifics on their policies, other than what they refer to as 'reasonable' time tables based on the allegation which are not clarified further.
It appears they consider multiple complaints more severe regardless of the legitimacy of the claims which they don't appear to evaluate prior to shutdown, and their Abuse Team decides on a case-by-case basis what actions are to be taken, and the response times allowed.
As a result, it appears this provider has an unreasonable amount of counter-party risk associated with it. Any company could file a claim, and hold your business hostage (as OP described).
What's worse, if they suspend or terminate your account as a result without notice; any monitoring that might have alerted you so that you could respond more quickly would likely not function correctly and fail silently without a cross-platform investment.
Network Solutions was at least 'good' at one point in time, or at least one of your only options. What did GoDaddy ever do?
They got a big marketing campaign first. And as a consequence, it looks like they inserted their brand into people's mind forever.
Now it doesn't matter how many shitty things or outright crimes they do, people always find some excuse to keep giving them money.
That doesn't make them any worse than, say, GoDaddy, but given enough time, they'll probably end up just as bad.
It's been discussed here at HN too: https://news.ycombinator.com/item?id=30504812
Even if I was affected, I'm not sure I'd want to continue relationship with them. Anyway, user of name.com now, so far so good.
(P.S. Might need to say that I support Ukraine in this horrible conflict, I just happen to hold a Russian passport)
I've been playing with cloudflare recently, and just realized they also do domain registration and DNS hosting. I might seriously look at switching to them depending on hassle and potential benefit. But I usually like having dedicated registrar/DNS that is uncoupled from hosting.
https://www.cloudflare.com/products/registrar/
Some people can't wait to victim blame every time these posts of obvious business stupidity come up.
Domains go into a redemption period because they expire. Having a card or paypal on file is meaningless if you don't have auto-renew.
People lie. People lie all the time, and always spin the story to somehow make them the blameless victim.
There's just too much superfluous information in the post that's not relevant to the problem. I don't care that OP uses Couldflare as DNS. I don't care what OP's email provider of choice is. I don't care he forgot about his GoDaddy account.
Also I think it's the government he should be complaining too, because it looked like GoDaddy reactivated his account for free.
Not saying GoDaddy is a good business, just stating that OP probably might not be as innocent as it seems.
This is purely an opinion.
It's obvious stupidity in multiple ways:
They failed to account for the customer's long and positive track record. They must be having a CRM. About time they started using it instead of acting like a script that wakes up and shuts down without any context.
Despite being web and mail hosting experts, their architects failed to design their systems for the scenario that their critical mails end up in spam.
Their UX people failed to title the mail in a way that would grab attention.
The post says that apart from this single email and its 2 hour deadline, there weren't any notifications in the past, something that other people here have assumed without checking.
====
In all such posts, it becomes obvious again and again that tech businesses are failing to design their systems for corner cases. This is not that surprising given all the communication and decision-making complexities anybody who's worked in tech would have seen.
Victim blaming is the laziest and most useless approach because it just denies that the real world is more complex than the ideal use cases the designers assumed. And neither helps improve anything nor holds anybody accountable.
As it turns out, Godaddy has a backup payment method option: https://godaddy.com/help/set-a-backup-payment-method-724
Like I said, in all these posts, there's a tendency to victim blame by making convenient assumptions to show the victim must have somehow been at fault. The GP even jumped straight into "if X, then it must be your fault" without even bothering to check with OP if X is true.
Additionally, despite all our insider observations of snafus as software engineers as well as personal experiences as customers, there's a tendency to implicitly assume that all software systems are designed perfectly and the entire chain of people that run them are 100% correct and ethical 100% of the time.
I termed this "the tech just-world hypothesis" because of how often I keep seeing it.