[ NOTE: We will be posting a follow-up to address the many questions that have come up out of this. One thing we’ll mention now since it’s the most asked question: .CA domains are not affected by this (they already undergo a validation process by CIRA – more on that in the follow up) ]
easyDNS has met the automatic renewal requirements under our ICANN Registrar Accreditation Agreement and will thus renew into the 2013 RAA on June 23rd, 2015.
WHY THIS IS UNFORTUNATE
This means that as of June 23rd we will be subject to enforcing the new Whois Accuracy Program (WAP) which was enacted by ICANN earlier this year. All registrants of any domains under which easyDNS is directly accredited (.COM, .NET, .ORG .BIZ, and .INFO) will henceforth be subject to the WAP. (Note, all new GTLDs such as .website, .host and are handled through our OpenSRS Resellers tag and are thus already subject to the WAP).
WHAT IS THE WHOIS ACCURACY PROGRAM?
The Whois Accuracy Program (WAP) was created by ICANN, the body that oversees internet namespaces such as .com/.net/.org etc in co-operation with various Law Enforcement Agencies (LEA) in attempt to increase accuracy of data supplied in domain Whois records (see “What is a domain Whois record” below)
In this stage of the program what is required is that at certain specific points in a domain name’s life cycle, domain registrants must complete an action that attests to the accuracy of the data supplied in the Registrant data supplied.
Key domain lifecycle points or events that trigger the WAP are:
- Registration, renewal[1] or transfer of a domain name using a new (previously unverified) contact data.
- Modification of a domain’s Whois record to new values that are not previously verified.
- If an administrative email such as a renewal notice, or a Whois Data Reminder Policy (WDRP) bounces or is otherwise undeliverable.
In any of these case, a Whois Accuracy Program process is initialized which takes the form of sending emails to the Registrant (yes, this can mean sending this notice to the same address that bounced and started this process in the first place), requesting them to verify their Whois data:
This normally takes the form of visiting a web page that displays the current Registrant data for a domain, and clicking on a button that asserts that the information is true and accurate:
The initialization of this process commences a time limited process (we refer to this process internally as the “Domain DOOMSDAY CLOCK”, which is 15 days in length.
YOUR DOMAIN WILL CEASE FUNCTIONING IF YOU FAIL TO CONFIRM YOUR DATA
If the Whois data remains unverified after 15 days, the Registrar must suspend the domain, causing it to cease resolving over the internet, until such time as it can verified.
THIS IS NOT A SICK JOKE
This is a real policy, enacted by ICANN, which binds all domain registrars accredited under the 2013 RAA. Many Registrars are already operating under it, and there are already numerous horror stories in which high profile, super busy domains have been shut off and ceased operating because of failure to comply with this policy.
IT IS IMPORTANT FOR ALL EASYDNS MEMBERS TO BE AWARE OF THE FOLLOWING:
After June 23, 2015 whenever one of your domains hits an event outlined above, you will be receiving an email notice from us asking you to “Click this link to verify your Whois data”. Even though it looks like an obvious phishing attempt, it isn’t.
THANK ICANN
You can thank ICANN for this policy, because if it were up to us, and you tasked us with coming up with the most idiotic, damaging, phish-friendy, disaster prone policy that accomplishes less than nothing and is utterly pointless, I question whether we would have been able to pull it off at this level. We’re simply out of our league here.
Follow Up Questions:
What is a domain’s Whois Record?
You may not be aware of this but every time you register a domain name your registration details (name, address, email, phone, fax) must be entered in the relevant registries “Whois Database”, which is a publicly accessible database and those details are visible by anybody.
For examples see http://www.easywhois.com which is our web based gateway to any whois database in the world.
What if I use Whois Privacy / MyPrivacy For my Domain Records?
If you use Whois Privacy, you will still have to confirm your underlying Registrant data – even though your public Whois records will be those of the privacy proxy.
Endnotes
[1] It’s since been pointed out to me that renewals don’t trigger WAPs. Renewals were in the original specification but the Registrars Stakeholder Group managed to get it taken out.
Is there some way we can be proactive about this? Your details are leaving me living in fear that I or my spam filters will miss a notice. Can I simply go to all my domains and pre-verify them at the end of June, and then whenever I think a trigger event might have occurred? I fear the answer is no, but if it were "yes" you could do a wonderful service for your customers by allowing us to opt-in to a set of calendar reminders in the individualized iCal calendar you already publish reminding us of domain renewals.
Hi This is awful, and how secure will the information we are forced to give be, and who is responceable if there is a breach of security and who will be responceable for any consequences? Ged
You guys are the best. Keep up the good work.
Thank you for underscoring the importance of following this annoying new policy (which sounds like something someone with poor understanding of the mechanisms involved believes will help). I wonder if there is some way you could roll this verification into the renewal process in a manner compliant with the new guidelines?
I travel frequently and often will have no internet access. If I don't verify within 15 days and my domain is suspended will it also be open being taken over by someone else?
This scares me greatly – as you point out how can I trust that the email to confirm my 'data' is even real. Up to now I've just ignored these emails….
And I've run into much trouble in the past when the need to update the information on the records occurred – and I was listed as the Admin, Billing and Tech contact on the domain, I resisted and paid for the domain! So I can only imagine how things will become now.
Thanks for letting me know of these upcoming changes, you guys are the best.
15 days is pretty short. I may be moving in the near future (not /too/ near, though) and I can easily see where it could take a couple of weeks before internet access at our new digs is up and the email server is running smoothly. (Well, the servers would be up pretty quickly. The delay in having stable email access depends on AT&T.)
Will it possible to specify two email addresses where these WAP notices could be sent? Say a second address at gmail.com not dependent on my EasyDNS domains?
1. Thanks for the info
2. Can you please clarify: who is sending the verification email? whois or you (easydns)?
3. Can you let me/us know the exact subject line that will be used? So we can filter for it and the email will not ending up in the spam/scams… folders
Thanks
Syv
I assume it is still fine to use myprivacy.ca for email address shielding, is that true?
2 questions:
1. I assume the .ca domain does not apply to these new rules?
2. do you or ICANN send to more than 1 email address, for example, a backup in case 1 of them gets caught in the spam folder? (I assume you'll send more than 1 warning if not rec'd within a certain # of days before the 15 days is up, i.e. no surprises)
Ernie Vance wrote:
>1. I assume the .ca domain does not apply to these new rules?
I am also hoping .ca will not be affected by this as I can think
of numerous times in the past I've went more than 15 days without
checking my E-mail and my 2 most important domain names are a .ca.
Also since only us Canadians (for the most part) are officially
eligible for .ca names I'd like to expand that question to cover
other country code TLDs you offer. If all the ccTLDs are
unaffected this might be a reason for people registering new
domain names to go with a ccTLD rather than a generic TLD where
possible.
So are all ccTLDs safe? Or if only some which ones?
While this doesn't help the problem at large, I have an idea that might at least help your customers in this situation. If you digitally sign the email notification that contains the link, that provides customers a way to verify that it's not a phishing attempt. While it does require that users have a public key encryption system installed, I'm of the opinion that everyone should have one installed anyway.
At the risk of being accused of blaming the victims, I'll point out that it's really foolish to have one's WHOIS contact emails set to addresses in the same domain as the one that WHOIS record is for. That just sets you up for all sorts of potential trouble if something happens to your domain (or your domain host) that breaks the domain's DNS chain.
I'm very much not trying to blame those who've been hit by this problem; the blame falls to ICANN for implementing such a poorly-thought-out policy. But a DNS breakage from a genuine attack is just as fatal as one from ICANN's policy, and the risks of both can be reduced by setting your contact emails to something outside of the domain in question.
One of the commenters on your other linked post (from when the policy was announced last year) mentioned having to create a Gmail account just to resolve the problem. Sure, that's a hardship after the fact, but there's little harm in proactively creating a Gmail account solely for the purpose of WHOIS contact. Combine that with a WHOIS privacy proxy and it's unlikely that any spammer or phisher will ever get that address on one of their lists, provided one uses it ONLY for WHOIS contacts.
The great irony here is that taking steps to prevent it by changing one's WHOIS contact info will trigger the very same "verification" process that one is trying to avoid (unless one makes the change before the implementation date). Yet more evidence that ICANN didn't properly consider the ramifications of this policy.
I do have a question about how you will be implementing this policy. In the event that a domain held through easyDNS needs Verification, what email address(es) will be sent the notification? Will it be only the WHOIS admin contact, all the WHOIS contacts, or all the contact emails on the registrant's easyDNS account? Or something else I haven't even thought of?
Many customers struggle with basic email tasks. Having to use another program to verify emails would be horrendous if it wasn't 100% automated. I've never bothered using a public key myself. But I'm an expert and can tell if something is suspect. But, customers will be lost if it gets more complicated than "Click this 1 thing to check your emails!" 🙂 For more advanced people, this would be no problem… and is a good idea.
Thank you Mark, for your diligence. I am always concerned about personal privacy and trust that this new procedure won't be intrusive. I have had a gmail account for several years and will make sure I modify my EasyDNS contact information to include it in case a notification gets bounced. Like others who have commented above, I try to keep my computer secure and am always worried that some of my security programs will block something (in this case, a notification).
Your email and the information you have sent will help keep me alert. From our side, we don't often have an opportunity to acknowledge the service you and your staff provide. Thank you!
Kind regards,
Donna Bond
Yo easyDNS, be cool and answer the questions, PLEASE.
Can you say block chain DNS?
From the page at https://www.icann.org/resources/pages/accountability/ombudsman-en, I found that we can "Contact the Ombudsman at ombudsman@icann.org or chris.lahatte@icann.org or on the Complaint Page by completing the form at https://omb.icann.org/portal/complaint.php".
It might be a good idea to read the page first. The ICANN Ombudsman has jurisdiction over complaints about:
Things done (or not done) by one or more members of ICANN staff Board or an ICANN constituent body.
Things done (or not done) by the Board of Directors which may be inconsistent with the Articles or the Bylaws.
It seems safe to assume that the creation of the WAP falls under the jurisdiction of the ombudsman. Since it does invite phishing and degrades security by putting up false blockades ("Please lie to use officially, if you want to lie to the world"), I believe it is violation of one or more of "established ICANN policy(ies)" as described under "Reconsideration Process" paragraph (a) at https://www.icann.org/resources/pages/mechanisms-2014-03-20-en.
Furthermore, at http://archive.icann.org/en/accountability/frameworks-principles/public-sphere.htm#duecourse you can find a list of things ICANN publishes, and it might behoove us all to create our own publication space (website – maybe easydns Can set it up if there isn't already one) in which discussion about all the ways in which it is "idiotic, damaging, phish-friendy, and disaster prone." I clicked on the "Board Meeting Transcripts, Minutes and Resolutions" link (http://archive.icann.org/en/minutes/) and it returned a "Page Not Found" page.
Recently i saw that one of our biggest website is not active. Then we saw that it is stopped (suspended) by publicdomainregistry.com because they received notice from someone that our domain is not registered to a real person. I saw that they sand us email 2 days ago, that we need to verify our domain in the next 48 hours or the domain will be suspended.
They asked for:
1. Purpose of Registration of the domain name.
2. Company Registration Details or Proof of Incorporation.
3. Photo Identification proof of Registrant on record.
4. Address proof such as Utility bills (Telephone/ Electricity) etc.,
I wrote them in next 2 hours with the real registrant information and all documents, because we bought this domain recently and the owner was old.
The support of publicdomainregistry.com is HORRIBLE. DO NOT USE THEM. If you have any domains there.. transfer them as quick as possible.
They left our domain suspended for 5 days.. we lost our seo optimization, our clients and we lost about 5 000 dollars but they don't give a S*IT.
So what i wanted to say is that the 15 days period for activating your domain can be 2 days period if someone send email to the registrator that you are not the actual owner of this domain.
This is the reason i choose easyDNS.. because friends told me that they have better and faster support (faster than 5 days) but my question is:
Will easyDNS suspend domains if they receive notification from someone (lawyer for example) that i am not the exact owner of this domain, even if my email is verified.
These policies are a direct attack on websites used for spoofing, hacking, hate sites, and illegal porn. I can see some benefit, but only 15 days seems insane. I can't tell you how many times I've missed an email just because of the volume I receive. Thank you.
Of course this policy was put in place by bureaucrats that have never run a website. Dilbert Moment coming in next 6 months.
There are two ways to trigger the suspending the registration – when owner provides contact info, or if email bounces during ICANN's Whois Data Reminder Policy.
The first is easily avoided by verifying new contact information BEFORE permitting changes to current contact info (or before accepting a new registration), as permitted by section 3 of WHOIS ACCURACY PROGRAM SPECIFICATION. Design the workflow so the contact cannot proceed without verifying contact info BEFORE the registrar commits the change, and the registrar never has to start the 15 day verify-or-suspend process.
The second happens when the contact method is out-of-service during ICANN Reminder process or other notifications: an email is bounced or a phone does not ring. If this continues 15 days, Mark Jeffovic suggests the registration will be suspended, but there is another option permitted in 1(f): "Registrar shall either verify the applicable contact information manually or suspend the registration". Both start AFTER the 15 days.
It does not specify how to verify manually.
It does not specify a max time for manual verification.
Section 1(f)2.B does permit postal mail to be used, and so a reasonable policy might allow time for Canada post, mailroom handling, action, and postal response – for instance another couple weeks.
Alternatively, the Contact could have provided the registrar a means to "verify manually", for instance alternative contact info used only for manual verification (that is not to be published in WHOIS).
To avoid triggering Section 4 action (bounced emails), the Registrar should avoid sending registration-related emails, and avoid using the contact email in section 1. A way to do this is to provide a second email field for non-ICANN-notification email (the web page would automatically populate this with the ICANN-WHOIS content, but allow changes). Should the Registrar get a bounced email from say a newsletter or renewal reminder using this different email, it does not trigger Section 4 action.
Mark
As always, you have communicated well. I'm sure everyone recognizes that this has been imposed on you, as it has on us users.
Pity that ICANN is taking this route. Hopefully, down the road, good sense will prevail and stupidity will be removed from this process.
Appreciate your efforts in this regard.
ICANN requires the e-mail, but is it possible to add a link to the verification page to the domain's WHOIS information page? That way when I receive the e-mail I could ignore the link in the e-mail, log in to easyDNS and check on the domain to see if it required verification. That would comply with ICANN's requirement without exposing users to the risk of a phishing attempt.
I hope easyDNS implements this idea, to not have to click the link in an email.