Post GDPR gTLD Transfers

Update: 25-05-2018

The procedure below is now live as per the ICANN temporary spec. I observe that not every Registrar was aware of the below situation. If you cannot transfer out your domain name(s) advise the gaining registrar to stop parsing WHOIS data and trying to send FOA emails to the registrant or admin contact, this will no longer work.

 

The new procedure has been communicated last week by ICANN to all registrars. To view this communication click here,

 

 

As mentioned in a previous blog the WHOIS will change drastically over the next few weeks.

At the moment when you start a transfer through the API or domain manager, our system sends an FOA to the registrant or the admin contact based on our contractual ICANN requirements. Once the FOA has been approved by one of the above contacts the transfer is requested at the registry,

I and other colleagues at the ICANN Registrar Stakeholder Group (RrSG) discussed the issues and we came up with the following a solution, a solution that has strong support. More details about this solution and the letter to ICANN can be located here.

Transfer solution post-GDPR

We will no longer send the incoming FOA, the auth code is sufficient to request the transfer on a registry level.

The losing registrar will still be required to send the outgoing FOA, the registrant can agree or decline the request. If there is no response from the registrant the transfer will be processed automatically after 5-7 days unless the losing registrar not acknowledges the transfer and cancel the transfer on their side.

Domain names that are set to transfer prohibited will not be transferred, if your customer wishes to transfer in or out, the transfer lock needs to be removed prior to the transfer. We recommend setting your domain names to transfer prohibited and regularly change the auth-codes for the domain names under your management for security reasons.

The above-described transfer process should not be to complex for most resellers, as it works somewhat similar how the larger ccTLD registries operate.

Recommended domain name security reading

A Registrant’s Guide to Protecting Domain Name Registration Accounts a report from the ICANN Security and Stability Advisory Committee (SSAC)

SSAC Advisory on Registrant Protection: Best Practices for Preserving Security and Stability in the Credential Management Lifecycle

Domain theft?

Though at first glance it seems the above changes might lead to more domain theft. This is counter mitigated due to the fact that the WHOIS info will no longer contain registrant data and email addresses. This info is usually an attack vector for hackers who steal domain names, with this attack factor no longer in play we expect to see fewer cases of domain theft.

Key transfer changes post GDPR summary.

  • Transfers will continue to require a valid authorization code; just like EU ccTLDs
  • The gaining registrar will no longer be required to send a Form of Authorisation (FOA) to the registrant, again most likely there is no WHOIS info to create one.
  • The losing registrar will continue to send an FOA (aka outgoing FOA) that allows the registrant or admin contact to ACK (acknowledge) or NACK (not acknowledge) the transfer;
  • If there is no action/response, the transfer will auto-ACK by the registry after five days from initiation of transfer;
  • Registration information will not be transferred as part of the IRTP-C, registrants will independently re-enter transfer information with the gaining registrar. This will include entering into a registration agreement with the new registrar as it is now.