Monday, September 29, 2014

How not to Transfer Your Domains Between Registrars

UPDATE IV - Dec 2018 - Four years on from my original debacle I've given Gandi another shot. The main reason being that I've bought a pair of FIDO u2f keys and have managed to drop all TOTP sites. Gandi is one of the few registrars to offer u2f support and I was really unimpressed with Hover support's reply when I asked about it. Gandi also seems to be very well respected amongst people that I respect.

The good news is that Gandi appears to have seen sense and has overhauled their system to allow an account to use a different email address to the domains that it manages. Having said that I wasn't taking any risks this time and made sure all the owner info matched up with the Gandi account.

The small hitch with the transfer this time seemed to be at the Hover/Tucow end as I only received their Transfer Away email after manually prompting their support and then I found the email to be rather misleadingly worded. Reading the description below would you expect to be able to confirm the transfer to proceed immediately at the linked page?



Original post:

TL;DR: i) Before transferring your domains to a new registrar Gandi.net make sure every single piece of contact information on them is EXACTLY the same. ii) I can't recommend Gandi.net.

I own several domains, one of which I use for my primary email address. A while ago I read Naoki Hiroshima's account of being held to ransom due to someone taking over the domain he used for his primary email address. At the time I contacted my registrars to ask what security measures they had in place to make sure this wouldn't happen to me (not that I think I have much of value to steal). Their replies didn't fill me with confidence. More recently I read of a registrar that can enforce two step authentication on accounts, Gandi.net. I decided to take the plunge and initiated the transfer of my two .co.uk domains (free), three .com domains (£8.63 each) and one .it domain (£9.20) to Gandi.net.

The .co.uk domains transferred very quickly, apparently without issue, however I noticed that the "owners" of the two domains were two different accounts to the one I was currently logged in as. Upon contacting Gandi they told me that because my details were slightly different for each of the two domains and for the administrative/technical contacts three accounts had been created. I could have used the two owner accounts and ditched the admin/tech account, but that was the account that I had also requested the .it and .com domains be transferred to. Gandi told me that to transfer the domains between accounts I would effectively be changing the owner of the domain. So I initiated the process to transfer the two domains to my main account, which would apparently cost me £4.60 per domain, not too expensive, and hopefully they'd be renewed in the process. But after following their instructions I was further notified that I would need to initiate the transfer with Nominet and pay them a further fee of £12 per domain. Considering I wasn't even transferring the domains between people I felt this was getting a bit ridiculous and gave up.

After three days I was notified that there had been an error transferring the .it domain. Gandi's wiki said that the error message meant that my previous registrar had blocked the transfer, so I contacted Livetodot. Livetodot said that the domain had been successfully transferred away from them and pointed out that the whois record even specifically said so. So I went back to Gandi. Another day later I got an email confirmation from Gandi saying that the domain transfer was complete, but gave no explanation as to what had gone wrong. During this period DNS had been failing on my domain for at least three days. It was at this point that I realised how stupid it was to use my primary email address on the domain that my primary email address uses, and I started to get nervous. While the .it transfer had now been successful, the domain owner apparently didn't exactly match any of my three Gandi accounts and so a fourth account had been created and marked as owner.

Luckily my three .com domains, including my primary email domain, eventually transferred without incident, and with the original Gandi account as the owner. I can now use this account as a central account to administer all of my domains as it is at least the technical contact for all my accounts. However I now have another issue besides the four accounts. As I said above I think it's stupid to have the contact email address of a domain using that same domain, so I would like to change the email address on just that domain. However Gandi's system doesn't seem to allow for that, only allowing one account to have one email address, so to change the email address for one of my .com domains I have to change it for all the domains owned by that account.

All in all I don't think I can recommend Gandi.net. Their system seems to be based on the incorrect assumption that each account is a different entity and each entity will only have one email address. I also wonder if other registrars (and why Gandi doesn't) just recognise an email address as a unique identifier and not worry if other details are slightly different.

Having done a bit more research there are other registrars that can do two step authentication, including Hover and EuroDNS. Reading Naoki Hiroshima's post again I notice that the hacker actually recommended NameCheap and eNom as secure registrars, although that information is a bit dated now and besides, I'm not sure if we should trust a hacker.

UPDATE: When I was initially thinking of going through with transferring the .co.uk domains to a single account I created an account with Nominet and I seem to remember being able to see both of my domains, but now I can only see one. Nominet and Gandi both say that this is because the two domains have different email addresses on the owner contact, but in the Gandi control panel they both look the same to me.

UPDATE II: After getting pretty much nowhere with their support I emailed their batline, nobullshit(at)gandi.net. Coincidentally or not the very same day their support agreed to transfer my .co.uk domains to my central account if I were to change my email address at Nominet. Nominet let you change your email address without any sort of confirmation with the old email address or the new email address, something that I pointed out to them was likely to get domains lost or stolen. A week later my domains still haven't been transferred. I also got a direct reply from Gandi's COO and "Chief Evangelist". Unfortunately this email confirms that their "no bullshit" tag line is just that, bullshit.

UPDATE III - Sept 2015 - A year on my renewals have come up again and I decided to put my money where my mouth is and join Hover. So far the move has been a joy by comparison and the transfer has worked the way that I would expect, you create one account and transfer your domains to that account. The one gotcha being that they don't automatically update your domains to use their DNS servers.