Per ICANN if domain is made innactive the page that it points to if it points to a page (it doesn't have to you can just put the name on hold) needs to describe how to get the domain back. Once again that's only if a page is displayed displaying a page is not required.
"2.2.4. In interrupting the DNS resolution path of the registration, if the registrar directs web traffic to the domain name to a web page while the registration is still renewable by the RAE, that web page must conspicuously indicate that the domain name registration is expired and provide renewal instructions."
Good question. ICANN does audits where they cherry pick some domains and say "show me what the fuck happened in logs and prove you did the right things". However the audits are every 3 years or so and the domains are just random pickings. So it's up to a registrant that is wronged to file a complaint and then ICANN says something to the registrar and the registrar says something back and they close the case kind of like a residential noise complaint where the cops come out when called. There really aren't any minor punitive actions per se other than revoking accreditation which is major. And you would be correct in assuming that would be rare and ICANN first gives every chance for a registrar to correct the wrong doing. So you could in theory get away for this for years and if and when caught you would just get your act together and fix things up.
Note: I have been dealing with ICANN since the start and they tend to be pretty cool and fair with registrars but they do take complaints seriously and do follow up on them. Creates a ton and a pain of paperwork for registrars so that really is the negative to not complying in a way.
This is exactly why we created a domain name/ssl reminder tool: http://www.expirify.com. A really easy mistake to make and very costly, I hope they get it back
1&1 and gandi both offer automatic renewal. In fact I don't think I would use a registrar that didn't offer that.
More likely what happened was that the guy who was incharge disappeared and/or his credit card number changed. And when the registrar tried to renew - it couldn't and I'm sure sent tons of emails of "HEY YOU NEED TO FIX THIS". Something similar almost happened to CentOS.
Most of them offer automatic renewals--they love customers that click automatic renewals. Godaddy literally changes your setting to automatic renewal.(This would be a good class action lawsuit--for such a classy company?)
The problem with automatic renewals is its fine if you just have one domain. If you have a lot of domains it makes financial sense to shop around? I've always gone with the cheapest registrar(that I feel will be around in a year, or two), and never had a problem. Personally, I heard a long time ago the true cost of registering a domain is around $7.49. I don't know if that's correct? I don't like to pay much more than that per year--just on principal.
Since, people are throwing around companies, Google domains are $10 bucks a year/with free privacy. (At least they were a few months ago?) Godaddy did away with renewal discount codes; I see no reason to use that company anymore?
So far it's been rocky with me. I had a VM that I used with what I think is called GandiFlex (I set it to lower the memory during the night and increase during the day) and apparently when my VM tried to scale up the hypervisor didn't have enough memory and for some reason failed to migrate the VM to another hypervisor. This left my VM offline for many hours until I noticed it.
Gandi's customer support official response "don't use it". Gandi's management response "you are right - we don't have enough monitoring and are looking into it". With no follow ups.
At least they credited me, generously, for their latest outage in their US datacenter.
The registrar does indeed do that, but only to the owner of the account. What if say you work in an agency and the person who setup the account has left? We created Expirify because we missed an SSL certificate renewal notice because it was sent to somebody who no longer worked with us...
If you only offer it to the original owner and the fee isn't particularly exorbitant, say $10 - $100, it might not even be sinister. Wouldn't you rather pay the slightly inflated renewal than deal with someone who's asking 5 - 6 digits?
The service is currently free, there's a bunch of ways we might monetise it but for now we're happy putting out there to see how people get on with it.
> Some people manage dozens, or even hundreds of domains. It's quite common in the "custom website design" world for the company (often a small agency) to manage the hosting of the site and domain.
DENIC, for example, (which operates seperately and has their own, incompatible WHOIS system), operates .de differently:
After your domain ran out, it will get "locked", all DNS settings will be locked they were before, and you get a letter or an SMS. The domain will stay locked for 2 weeks, during that you can enter the code from the SMS or letter on a website to move the domain to another registrar or delete the domain.
If you don’t react at all, after 2 weeks, the domain goes into TRANSIT. It still stays locked, but now you get actually billed for it, until you enter the code or delete the domain.
Essentially, with DENIC, the domain stays locked until you decide to delete it or move it to another registrar.
You can also disable the TRANSIT, in that case, if the domain runs out, after 2 weeks grace period of being locked it actually runs out.
Easy? Really? I get that you are offering a service, but I can guarantee that if there were something as fundamentally and existentially important as securing my domain name, it would not be an easy thing to forget to do. I can't even begin comprehending how one forgets to do such a thing.
Some people manage dozens, or even hundreds of domains. It's quite common in the "custom website design" world for the company (often a small agency) to manage the hosting of the site and domain.
Yep, that was exactly the use case we built it for. We scratched our itch. When you've got a group of people all managing domain names/SSL certs for various customers it's very easy to lose track of one.
We should stop using the domain name system to name web pages and email addresses. It is too vulnerable to legal attacks, extralegal attacks, and simple human error.
There are a bunch of decentralized possibilities out there: IPFS, Tahoe-LAFS, MaidSafe, and so on. None of them are ready yet, except (for some purposes) FreeNet and Tor Onion Services, and it's going to be a lot of work to get them to work, and probably some of them are simply unworkable. But this is a really, really important problem to solve, and it's solvable.
Now we only need to worry about the small matters designing an alternative system that acheives what the domain name system does without those draw-backs, and convincing people to use the new system...
There is one, and its called search. People are getting used to ask the search engine on their phones and tablets for finding websites, so the big engineer problem is remaking the service into private instances which isn't controlled by google or apple.
There are many circumstances where direct linking is needed, including from outside the system (posters, business cards) - search doesn't work for that.
Even if you go for something like QR codes you want a method that doesn't rely on encoding the fixed network address of a resource (as fixed addresses are usually not as permanently static as they are initially intended).
So on your business card instead of putting your name@domain you can just put "Hey! To find me just google 'my name at my long company name'" and people will end up in the right website, right? And what about email?
It's true that people find things by googling them, and so it usually doesn't really matter if a hostname is www.gimp.org or eqt5g4fuenphqinx.onion, while it does really matter that the search link via www.gimp.org can break suddenly for no good reason. It also matters that the pages at eqt5g4fuenphqinx.onion are dependent on a server operator.
How would hyperlinks work in this model? If I have a hyperlink "This is an awesome program" that links to gimp.org, how is search going to help if gimp.org goes away?
If we look at how people currently share links in social media then url shorterners are very common in use. That would point towards either local or centralized services providing the share-ability of links which would translate between a local address and a global name which may simply be a hash string. There are also QR codes and magnet links which neither rely on a domain name service to operate, but which are used by people to share the address identification for a resource.
They are not trivial solutions to the problem, but the fact that they are in use makes its plausible that a solution can be found.
The hyperlink URL text could contain a secure hash of the gimp.org home page. Or a revision number and the hash of a public key used to sign gimp.org home page revisions. Or of a document containing three public keys, the majority of which need to sign a home page revision for it to be considered a valid value for the link. Or, as in onion services, the hash of the public key of the server hosting the document, along with a document path to send to that server when you manage to reach them. Or a name unique within a certain namespace, and a public key used to sign new versions of the document listing the name-hash mappings for the latest version of the namespace. And maybe a list of IPv4:port pairs to contact to ask for the document. Or the name of a decentralized pub-sub channel where versions of the page are periodically announced — maybe the Bitcoin blockchain. There are lots of possibilities.
"The hyperlink URL text could contain a secure hash of the gimp.org home page. Or a revision number and the hash of a public key used to sign gimp.org home page revisions."
That would help to make sure you got the right page, but wouldn't help you find it.
Your other suggestions (e.g. a list of IP addresses/ports) are basically just reimplementing DNS, but with more complexity. :-)
With more or less complexity (although that statement makes me suspect you’ve never administered BIND) — but with different failure characteristics! And hopefully better ones.
No matter what system you will come up with, it will always be vulnerable to the actors trying to game the system. Like with many other cases, I think we're making the same mistake airport security does - focusing on last year's threats. We need to put more effort into winding ways to punish assholes (the technical term would be "defectors").
You don't have to be an asshole to forget to renew your domain name, which is probably what happened here. Or to die without heirs who care. Or to not properly maintain your RAID, which is apparently what happened at SourceFarce. Are you suggesting we should be punishing ICANN and EMC? Probably the only practical way to "punish" them is to build a system that decentralizes the control out of their hands.
I wasn't thinking about this type of problems. I was thinking about domain squatting, poaching and various ways people try to make money off people's honest mistakes.
I think that if we have a usable system that keeps the original author of a page from being able to make it unavailable, it will also probably solve those other problems.
I don't know about "good", but there are Namecoin, based on bitcoin-like blockchains, and P2P DNS, based on torrent-like protocols. Some people run alternative DNS servers, without the sanction of ICANN. TOR hidden services directories might also be evolved into something similar to a DNS competitor.
The current DNS system is based on a central service authority, which creates a monopoly on an artificially scarce resource. If the whole web went IPv6 and no web server had to share an IP with another, private address book names, shared via social connections, could handle the naming of everything out on the long tail of site popularity, and the largest sites could continue using whatever makes the most money for them. I can input names myself to attach to the phone numbers I know, and pass them to a friend with a NFC tap or message, so I could potentially also do that for IP address numbers.
I don't particularly want my ability to use the web controlled by ICANN as a single central authority, especially as I perceived the recent TLD sale as a blatant cash grab. The central authority has to be trustable, and I don't fully trust it.
Yeah, it gets put on hold for 45 days at which time it can be renewed. If it isn't renewed with that 45 day window, then it gets listed as "expired" and the owner still has another 30 days to renew it.
Once it goes beyond these two phases, it enters into the "pending delete" phase at the end of which, it's released and open to get hijacked by someone else.
They still have plenty of time to renew it without issue.
I don't understand registrars that don't alert you to the fact that it is going to expire. I have that registrar that everyone loves to hate and they are damn good at reminding me when to renew and not annoying me in between such times.
I'm pretty sure every registrar does this. It is in their interest: they remind you to pay so they get your money instead of some other registra getting a poacher's money.
A key problem is people not seeing the reminders. Perhaps they get lost in a sea of spam. Perhaps they get accidently calssifed as spem themselves. Perhaps the contact information for the domain isn't kept up-to-date and the reminders end up in an email account that is no longer monitored.
Note to self: check gimp.org on September 3rd to see if it was renewed or not.
In all seriousness I'm pretty surprised they would let it lapse. Hopefully they pick it up within the grace period. It would suck for a bad actor to get ahold of it and offer up the gimp for download with, say, malware in it.
This wasn't really surprising to me* - some months ago, when we discovered that gimpguru.org (no one from GIMP is connected to that site, btw) had expired and taken over by a third-party, we checked and discovered that gimp.org expires on 2015-08-03.
Personally, I firmly believe that useful change only happens when survivable incidents happen, so my only concern was whether gimp.org would be lost immediately it wasn't renewed before that date. But when someone pointed out the grace period, I thought "well, either it is renewed in time, or we will have discussions similar to those that happen right now, might be a good wakeup call".
* but yes, of course I was surprised when I couldn't connect to www.gimp.org anymore, in particular because I had some updates planned for the downloads pages, because I had simply forgotten about it. Dismissing it as a non-issue until something actually happens tneds to cuase this, apparently.
As others have said, I don't think it was poached, more likely it's in the 30 day grace period for a missed renewal. Hopefully they'll get it sorted soon.
And yes, domain poaching is very douche-y, and is basically extortion.
(to anyone who knows this: it looks to me like fosshub wants to be the anti-sourceforge, the new home for binary opensource downloads, and that they're non-evil. is this true?)
Yes we do have the GIMP binaries as we took them directly from GIMP.org - the official homepage. The files are 100% clean, feel free to download them. Thank you!
Thank you for the confidence! We can assure you that our intentions are "good". As for the Ninite suggestion, unfortunately (since FossHub is NOT after the money) we don't have the financial resources to add such a tool. Maybe later. Thanks again!
Sure! We run the site anonymously for the same reason as others - keep phishing attempts away, minimize spam, increase the security by eliminating social hacking attempts and a few other reasons that are well-known by law enforcement agencies. We did tried to run without the "privacy" option enabled and we were forced to activate it. We acknowledge that this might raise some questions but as long as we deliver a trustworthy service this shouldn't matter too much for our users.
Great ! Now the GIMP team will use this opportunity to create their own version of a "domain". I will look & work mostly like all other domains, but just mostly.
Like you will not be allowed to directy save a change to its structure...
Domains have a renewal grace period. Since it expired recently, they'll be fine.