If you change registrar-level things about your domain, they're now required to confirm your contact info with you. This isn't a "DDoS", or "deadly", or any of that nonsense: it's a new strategy to ensure whois data stays updated.
Whether or not it's an effective strategy for keeping whois data accurate is another debate (I don't think it is), but talking about it like some malicious act is pointless.
I read about this originally when they made the rule and it seemed arcane and ridiculous, I dont know how it ever was passed. I believe everyone who some experience with whois info knows the information is either false or hidden behind privacy emails and contact information. If they are not, they are subject to annoying or even abusive misuse. (I remember someone back in the day calling me repeatedly because they found my website after I beat them in some video game, the internet is filled with nutters.)
If ICANN wants to know the details, I dont care, but if all the internet wants my phone number, they can take a long walk off of a short pier.
The registrar is public information. The registrant's contact information is public (or at least publicly accessible). So, wait a year for people to get accustomed to clicking on links in emails from their registrar, pick a target domain, forge an email from the registrar, send it to owner contact with a link to a phishing page. Congratulations, enjoy your new domain.
That was... interesting.
Good timing on the troll's part as I was migrating from 123-reg to Gandi at just that moment and had to persuade both of them that I was who I said I was and that the info was correct.
If I recall correctly it involved proof that there was a company behind it (company registration documents), proof that the address for the company was correct, and proof that I worked for the company and had the right to represent it.
It's pretty scary to think that your domain might be pulled, and the web properties and email with it, based on a third party report.
At least with this proposal a 15-day window to verify details when you change info is an expected thing.
Oh, and ICANN sent the notification via the registrar to the admin email on the domain... make sure you're monitoring all of those email addresses.
Uh, no. Where's the FTC when I need it...
(It goes into detail claiming that you need to "state" your country of citizenship, but not that you need to "prove" your country of citizenship. An identity document is massively overreaching, IMHO. I never had to prove anything to get jrock.us, and if I have to, I will move the domain.)
Here's the people, i spoke with them on the phone: http://www.neustar.us
here is their first email in april 2011:
As you may be aware, in November 2001, the United States Department of Commerce ("DOC") selected NeuStar, Inc. ("NeuStar") to be the Administrator of the .US top-level domain ("usTLD"), the official top-level domain for the United States of America. As Administrator of the usTLD, NeuStar has agreed to perform random "spot checks" on registrations in the usTLD to endure that they comply with the usTLD Nexus Requirements which can be found at
http://www.neustar.us/content/download/2659/32865/ustld_nexu... ("Nexus Requirements").
Our records indicate that you are the registrant of the domain name CURI.US.
On April 28, 2011, this domain name was selected for Nexus revalidation and confirmation. According to the information you provided with your registration of this Domain Name, you indicated that you qualify under:
Category 1 - You are a US citizen or permanent resident
As part of our verification process, we ask that you provide to us by no later than ten (10) days after the date set forth above, a written response describing how you qualify under the above Nexus category.
In addition, please verify that the name-servers that you have selected to use are also physically located within the United States as required by the Nexus Requirements.
In some instances, we may request additional documentary evidence from you to demonstrate that you meet the Nexus requirements.
You should be aware that if you either (i) do not respond within the ten (10) days, or (ii) are unable to adequately explain or demonstrate through documentary evidence that you meet any of the Nexus Requirements, NeuStar may issue a finding that your entity or organization has failed to meet the Nexus Requirements. Upon such a finding, you will then be given a total of ten (10) days to cure the US Nexus deficiency. If you are able to demonstrate within ten (10) days that your entity or organization has remedied such deficiency, you will be allowed to keep the domain name. If, however, you either (i) do not respond within the ten (10) days of such a finding of noncompliance, or (ii) are unable to proffer evidence demonstration compliance with the Nexus Requirements, the domain name registration will be deleted from the registry database without refund, and the domain name will be placed into the list of available domain names.
Thank you for your cooperation in this matter. Please let us know if you have any questions.
.US Nexus Compliance
.US America's Internet Address
they got bored of trying to prove their identity and just said like "whatever, verify your identity or you'll lose your domain". i ended up phoning them with the number on the site with the invalid SSL certificate, getting the person i'd been emailing with, and she said i could black out the driver's license number on the photo. i ended up sending it that way. i think they were just stupid, not scammers. that was years ago and nothing bad has happened yet to my knowledge.
The mails they send out now look like this:
"As a courtesy to domain name holders, we are sending you this notification of the domain name registration that is due to expire in the next few months. When you switch to Domain Registry of America, you can take advantage of our best savings. Your registration for _______ will expire on _____.
You must renew your domain to retain exclusive rights to it on the web, and now is the time to transfer and renew your domain from your current registrar to the Domain Registry of America.
This notice is not a bill. (bold) It is rather an easy means of payment should you decide to switch your domain name registration to Domain Registry of America."
Followed by the pricing table and write-in order form. Still junk mail, but not falsely representing themselves as your current registrar.
I get these mails all the time too, and unfortunately I actually have to pay one of them. Some 12 years ago or so, I helped a neighbor who runs a local charity by creating a website for her annual event, pro bono. Even though she paid for the domain, the billing contact info was changed to my address (perhaps by her, when someone asked for a technical contact), and transferred to DROA. I don't live in that area anymore or have contact with this neighbor, and I'd rather not track her down with a bill nor let the domain of her charity expire, so I've been dutifully paying the marked-up DROA renewal every year.
But yes, they may have mentioned "this is not a bill", but if they did, the font was so small as to be unreadable. I knew it wasn't a bill because I knew that my domain was registered through someone else.
There is print that says "this is not a bill" about 6-10 sentences in, but is hardly discoverable without careful consideration. Considering the whole page is covered by text, most people would skim and think "oh shit I owe money don't I?!"
Some of the registrars I use have implemented this policy lately. Turns out it's a non-issue as long as your contact info is valid and up to date (which it should already be).
It doesn't conflict with whois privacy, either, contrary to all the FUD that gets spread around. Any whois privacy service that is worth the cost will forward the verification request to your real email address, and if it doesn't, you should switch to a better service. Using a crappy whois privacy service with no email forwarding is a surefire way to lose your domain anyway.
No, why should domains be required to attached to an individual person?
An email address is not an individual person.
This applies to domains that are already working. If you update your whois record and don't do this, it stops working.
Also, redemption isn't a scam, it's a fine to discourage people from making ridiculously late payment! You're given a 45 day window after a domain expires to pay for the renewal before the domain ends up in redemption, and registrars are required to send at least three separate reminder emails at specific intervals to tell you the domain is expiring or has expired. If you can't pay your bills within 45 days, ICANN, the registries, and the registrars aren't the problem: you're own incompetence is the problem.
Also, you don't own the domain, it's a lease. If you let a domain expire and a competitor snaps it up, that's on you, not the registrar. You can initiate UDRP actions to recover it, but it's your fault.
We can have many decentralized ways of registering and transferring domains. Namecoin is one, but how hard is it to decentralize the DNS database?
The system is centralized because the control over nations is centralized. It will remain that way so long as political power remains centralized. Particularly given the immense importance of the internet economy now to most major nations. The political powers that be are not about to let go of something so important. The domain name system is a huge point of control over national and global economics. If I were a standard issue politician, I'd make you pry it from my cold dead hands.
Until then, people could download a program or instructions that would add it, similarly to Google's DNS or OpenDNS
Except it would not use the regular DNS system on the back end, but supplement it with its own rules eg not taking a domain offline when registrars do.
Alternate DNS roots are just scams, as the intention is to extract more money so people have to protect their name by not only buying many TLDs in the real DNS, but in an extra one as well.
Its an interesting question; how do you decide who to trust?
And unlike the intended trigger for verification ("changes to contact information"), I didn't make any changes to my domain. Either a WHOIS cloak expired, or some other action by Namecheap triggered the verification step.
The subject line of those mails is: Important Notice Regarding Your Domain Name(s)
The new mails have a stronger subject line: IMMEDIATE VERIFICATION required for [domain]
Also, Namecheap is an eNom reseller, so you actually got that email from them, not Namecheap.
If you use a registrar's WHOIS privacy service, then the registrar still has the (supposedly) correct details and are simply masking them in WHOIS. There's no issue there. However, if you're not using the registrar's own WHOIS privacy service, then yeah, you're potentially opening yourself up to a world of pain, as (a) the domain is no longer actually registered to you in a manner verifiable to the registrar and (b) you might not be able to receive important notification emails that the registrar is required to send you (such as expiry notices).
I was about to drive out of cell range and got a text that client's site had some strange page displaying.
Unfortunately, they repoint the dns servers of the domain, and the client had the contact email mx records associated with same domain.
The actual site gets 'dns hikacked' by icann until you fill out a captcha on your site's new page and it emails the whois email account on record with the link.
Had to log into the registrar, luckily had the client's account info, changed the email, and got it verified.
That was 3am yesterday.
Says it takes 24 to 48 hours to updated, but it was only like 8.
Still, if you had an ecommerce site or conduct time-sensitive business via email, be careful.
Because, if you do not see the email, your site will be hijacked by ICANN.
The domain was suspended from DNS because you hadn't paid your renewal bill. The "strange page" was put up by your registrar to notify any visitors of this and to direct them towards their billing system. The idea is to effectively shame people into paying their bills in a timely manner. Your registrar would've sent you at least three different emails before and shortly after the domain's expiration including a notice of what would happen if you didn't pay on time. If you didn't receive these, then that's on you for not keeping your contact details up to date and correct, which you're required to under your registration contract, and which is why you get those emails out periodically asking that you verify that the details they have for you are correct.
If you don't pay your phone bills, electricity bills, rent, &c. on time, you'd expect the service to be removed. Why would domain names be any different?