Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Domain Transfer, WHOIS Privacy, DNSSEC, and the Absence of Push-ups
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Domain Transfer, WHOIS Privacy, DNSSEC, and the Absence of Push-ups

yoursunnyyoursunny Member, IPv6 Advocate

This article is originally published on yoursunny.com blog https://yoursunny.com/t/2022/ndn-today-domain-transfer/

Annual Domain Transfer for Profit

Since my first domain name in 2006, I have purchased several domain names for my various websites.
A few years ago, I discovered a secret in the domain registration business: many registrars offer a cheaper price for domain transfer than domain renewal, as a means to attract new customers.
Therefore, if I transfer my domain every year to a different registrar, I would pay less than renewing the domain at the same registrar.

DNS services for a domain used to be associated with the registrar.
When I transfer a domain away, the DNS server of the old registrar would stop responding to queries regarding my domain, and the DNS server of the new registrar does not yet have any records about the IP addresses of my web server.
Therefore, a domain transfer would usually cause the website to become inaccessible for a day or two.
Typically, I post a tweet when a domain transfer is about to happen, so that my readers could know why my website is down.

Nowadays, I'm using Cloudflare DNS for most of my domains.
Cloudflare DNS server is independent from the domain registrar, so that my website continues to resolve correctly throughout a domain transfer, as long as neither registrars modify the name server delegation records.
In case the new registrar automatically updates the delegation records to their DNS servers, I have to quickly login to the control panel and change it back to Cloudflare, which would then cause a brief downtime of the website.
Having done so for many years, I am accustomed to this process.

Transfer of ndn.today

I registered ndn.today domain name in 2020, to host several of my personal projects related to Named Data Networking, which include the popular NDN push-ups page.
Later that year, I transferred this domain from NameCheap to Porkbun.
After entering the Auth-Code at the new registrar and accepting the transfer request at the old registrar, the domain moved over, and Cloudflare continues to resolve the domain so that there's no website downtime.

Many domain registrars offer free WHOIS privacy services, which conceal my name, street address, and email from the public WHOIS database.
I do not consider WHOIS privacy essential because my information is public, but I kept it enabled so that I could receive fewer spam email.
During the above domain transfer, WHOIS information changed from Withheld for Privacy ehf to Private by Design, LLC, which are the WHOIS privacy services of NameCheap and Porkbun respectively.
Despite the change, I am still the domain owner as recorded in the registrar's control panel.

Fast forward to March 30, 2022, it's less than two months before the expiration date of ndn.today, so it's time to yo-yo the domain again.
Tldes.com indicates that one.com has the cheapest domain transfer offer for .today at $2.22, and they are an IANA-accredited registrar.
Following the usual procedure, I unlocked the domain, entered the Auth-Code, paid the invoice, and accepted the transfer request.
The domain moved over, and I went to bed.

The next morning, I received an alert:

Hi,

The monitor web RSpec (https://rspec.ndn.today) is currently DOWN (Connection Timeout).

UptimeRobot will alert you when it is back up.

Usually, such an alert indicates a problem with the hosting server.
I SSH'ed into the server, but did not find any issues.
Since I was busy with coding that day, I ignored the alert thinking it would resolve by itself in a few hours.

In the evening of March 31, I recalled this UptimeRobot alert, and discovered that I cannot open the NDN push-ups website anymore.

This site can't be reached. pushups.ndn.today's server IP address could not be found. Try: Checking the connection. ERR_NAME_NOT_RESOLVED

I started to realize, the alert was caused by a DNS problem, not a server issue.
I queried the domain with two online WHOIS lookup tools, one shows the name server delegation to be Cloudflare as expected, the other one shows:

Updated Date: 2022-03-31T13:03:53Z
Creation Date: 2020-05-25T19:09:17Z
Registry Expiry Date: 2023-05-25T19:09:17Z
Registrar: One.com A/S
Registrar IANA ID: 1462
Domain Status: transferPeriod https://icann.org/epp#transferPeriod
Registry Registrant ID: REDACTED FOR PRIVACY
Registrant Name: REDACTED FOR PRIVACY
Registrant Organization: Private by Design, LLC
Name Server: ns01.one.com
Name Server: ns02.one.com
DNSSEC: signedDelegation

Apparently, one.com automatically changed the name server delegation to their own.
Since I haven't entered any DNS records in one.com DNS control panel, their DNS server cannot resolve my website IP address.

Domain Owner: Private by Design, LLC

I haven't encountered an automatic name server update since 2014, but I know how to deal with it: login to the new registrar's control panel, and change the name server back to Cloudflare.
I filled up the form, clicked submit, and then received a message:

You have name server changes pending approval.
A request has been sent to the registrant of the domain for approval.
If not approved within three days, the request will fail.

Looking through my email inbox, I received nothing.
After poking around, I found the issue: according to one.com, the domain is now owned by Private by Design, LLC, Porkbun's WHOIS privacy service.
Therefore, they sent the request to [email protected], but I have no way to access that mailbox.

I attempted to modify the domain contact.
However, that form also triggers an automated email to [email protected] that I cannot access.
I contacted Porkbun chat support, and they told me the validation code contained in one of the emails.
I submitted this validation code at one.com, but it did not allow me to immediately update the domain contact.

Road to Recovery

One.com is the current registrar and they have the authority and responsibility to resolve the problem.
I contacted their chat support, Support Robot gave a 7-minute estimate for a support agent, but nobody picked up after 15 minutes.
I tried again after a few hours and got to someone, who asked me to fill up a general owner change PDF form and submit by email.
Seeing that the form should be accompanied by a photo ID such as my driver's license, I felt uneasy to send sensitive documents via unencrypted email.
Upon raising my concern, the support agent Angel said that I can also use the ticket system, much better!

I prepared and signed the form, scanned my driver's license, and submitted both via the ticket system.
The same Angel replied to the ticket, saying that she's going to forward the form to their Hostmasters, who would process the form within 24 hours.
Sigh.

The next morning, on April 1, I received another email:

Owner details update for domain ndn.today

We have declined your request of Mar 31, 2022 to update the owner details for your domain ndn.today.

I started to panic PMS: I submitted the PDF form according to instructions, and why is it declined?
A different chat support agent checked the status of my ticket, and assured me that the PDF form is still being processed, and the decline message came from my earlier attempt in the control panel.

DNSSEC Thwarts the Temporary Measure

As I'm waiting for the hostmaster to process the "owner change", I thought about a temporary solution: I can enter server IP addresses in the control panel, so that one.com DNS server could resolve the records.
I have been using Cloudflare CDN for some of my sites under this domain, mainly for the convenience of TLS termination.
Moving them off the CDN means that I have to do TLS termination on my own server, but I'm experienced with this: Caddy server has automatic TLS and can obtain certificates automatically.

I inserted A and AAAA records in one.com DNS control panel, and configured reverse proxies in the Caddyfile:

https://pushups.ndn.today {
  reverse_proxy https://pushups.netlify.app
}

Certificate Transparency notifications started rolling in, suggesting that my reverse proxy has successfully obtained TLS certificates for the subdomains.
I couldn't access the websites myself at that time, but I'm confident that DNS propagation delay would eventually resolve itself.
Certificates are issued by ZeroSSL instead of the usual Let's Encrypt, but it's not a matter of concern.

It's now April 2, two days after the initial UptimeRobot alert, I still cannot access my websites.
I queried my domain on DNS lookup & Propagation Check, and it gave mixed results: some DNS servers can resolve the domain and some cannot.
While DNS does have negative caching, such caching is normally short-lived, so that DNS caching is not the only one to blame.

worldwide DNS propagation map, 5 green ticks and 14 red crosses

The reason of failed DNS resolution lies in DNSSEC.
Following a recommendation from Cloudflare, I enabled DNSSEC for my domain, so that unauthorized DNS servers cannot respond to queries with bogus responses.
Setting up DNSSEC is a two-step process:

  1. Cloudflare DNS server generated a signing key pair, and would use it to sign every response under my domain.
  2. Using a form on the Porkbun control panel, I submitted the digest of the public key to the .today registry, in what's called a DS record.

When a DNS resolver receives the DS record, it would retrieve the public key from the delegated name server (i.e. Cloudflare), and check that the public key matches the digest and the records are signed by this public key.
Right now, the name server delegation is pointing to ns01.one.com, but the DS record contains the digest of Cloudflare's public key.
Since one.com does not own the corresponding private key, it would not be able to come up with a valid signature.
Consequently, DNS resolvers would reject its responses and refuse to resolve my domain.

VeriSign Labs DNSSEC Analyzer confirms my suspicion:

Found 1 DS records for ndn.today in the today zone; No DNSKEY records found; ns01.one.com is authoritative for pushups.ndn.today; No RRSIGs found

Not every DNS resolver validates DNSSEC signatures, which explains why some DNS servers can resolve the domain and some cannot.
I checked Caddy server logs, and it suggests that Let's Encrypt could not issue certificates due to DNS resolution failure, so that Caddy automatically switched to ZeroSSL as a fallback.
This implies that Let's Encryption is using a DNSSEC-validating resolver, while ZeroSSL is using a non-validating resolver.

Now, my domain is in limbo.
If a viewer is using a non-validating DNS resolver, they can visit my website and see my push-ups.
If a viewer is using a DNSSEC-validating resolver, there would be no push-ups for them.

Summary & To Be Continued

I regularly transfer domains between registrars to take advantage of lower pricing.
This time, I transferred a domain from Porkbun to one.com without disabling WHOIS privacy service.
The new registrar considered Private by Design, LLC, Porkbun's WHOIS privacy service, to be the domain owner, and restricted me from accessing most features in the control panel.
Paperwork for re-assigning the domain owner to me is still being processed after two days.

The new registrar automatically changed name server delegation to their own.
I inserted DNS records to one.com DNS server as a temporary measure, but these records are being rejected by DNSSEC-validating resolvers because one.com does not possess the signing keys.
Consequently, ndn.today domain has been inaccessible for three days and counting, and half of the world population is unable to watch my push-ups.

Comments

  • BoogeymanBoogeyman Member
    edited April 2022

    Complete disaster!

    @yoursunny said: Certificates are issued by ZeroSSL instead of the usual Let's Encrypt, but it's not a matter of concern.

    AFAIK ZeroSSL is acquired by Sectigo Aka Comodo.

    After GDPR registrars can no longer get any information about any admin(tech,billing,registrant,admin). So listed privacy provider is the actual registrant!

    My rule about registrars that change nameserver automatically is to add them in my naughty list.

  • yoursunnyyoursunny Member, IPv6 Advocate

    @Boogeyman said: After GDPR registrars can no longer get any information about any admin(tech,billing,registrant,admin). So listed privacy provider is the actual registrant!

    In other transfers that I performed within past two years, the new registrar would let me enter the domain owner and contact information as part of the ordering process.
    As soon as the domain is transferred into the new registrar, the information I entered becomes the owner.

    One.com is the only registrar I encountered that adopts whatever displayed in WHOIS as the domain owner and contact, and restricts me from editing it directly in the control panel.

    Thanked by 1Not_Oles
  • nfnnfn Veteran
    edited April 2022

    Nothing like an AAAAAA IPv9 address: 2022::dead:beef/69

    Strong men don't use DNS 💪

  • @yoursunny said: In other transfers that I performed within past two years, the new registrar would let me enter the domain owner and contact information as part of the ordering process.
    As soon as the domain is transferred into the new registrar, the information I entered becomes the owner.

    Yes. User has to intervene in these case. With some registrars I found they would auto assign my current billing details and for others I would have to create a default profile.

    But changing nameserver is big red flag for me. Then can change my MX and sniff my mails, do phishing and all sorts of stuff and can even impersonate me.

    Thanked by 1yoursunny
  • jahrincjahrinc Member
    edited April 2022

    Too much hassle to save $14

  • yoursunnyyoursunny Member, IPv6 Advocate

    @jahrinc said:
    Too much hassle to save $14

    CheapClub is a weird place.
    We can spend $30 on lunch, but want to squeeze $5/year on a server or a domain.

    See also: three rules of CheapClub by @jmaxwell

  • Not_OlesNot_Oles Moderator, Patron Provider

    @yoursunny said:

    @Boogeyman said: After GDPR registrars can no longer get any information about any admin(tech,billing,registrant,admin). So listed privacy provider is the actual registrant!

    In other transfers that I performed within past two years, the new registrar would let me enter the domain owner and contact information as part of the ordering process.
    As soon as the domain is transferred into the new registrar, the information I entered becomes the owner.

    One.com is the only registrar I encountered that adopts whatever displayed in WHOIS as the domain owner and contact, and restricts me from editing it directly in the control panel.

    Reading this makes me think of removing the privacy protection for my domains. Without privacy protection the old and the new ownership data would remain the same instead of changing from Privacy Something, LLC to Corporation for Something Privacy, Inc.

    I liked whois in the old days. It was fun to see who owned the sites. Well, I like a lot of stuff from the old days. :)

    I look forward to @yoursunny's push-up videos becoming again reachable world wide very soon!

    Best wishes from Mexico! 🌎🌍

    Thanked by 1yoursunny
  • i think namecheap is best , also should not move domains just to save few dollars. and you twitting etc so that users knows why your website is down , well if you have such big user based that they need to be notified then it mean u will be earning a lot then i guess why you will be saving few dollars on these silly transfers

  • SwiftnodeSwiftnode Member, Host Rep

    Cloudflare is also a registrar now, and they offer domains at wholesale prices, and security wise I just don't trust any of the other large registrars. (Godaddy, network solutions, etc)

  • rm_rm_ IPv6 Advocate, Veteran

    @Not_Oles said: Reading this makes me think of removing the privacy protection for my domains. Without privacy protection the old and the new ownership data would remain the same instead of changing from Privacy Something, LLC to Corporation for Something Privacy, Inc.

    I liked whois in the old days. It was fun to see who owned the sites. Well, I like a lot of stuff from the old days.

    Too much weirdos got onto the Internet since then, there is little to no benefit in letting them all know your phone or physical address.

    Thanked by 1Not_Oles
  • dosaidosai Member

    @Not_Oles said:

    Reading this makes me think of removing the privacy protection for my domains. Without privacy protection the old and the new ownership data would remain the same instead of changing from Privacy Something, LLC to Corporation for Something Privacy, Inc.

    I liked whois in the old days. It was fun to see who owned the sites. Well, I like a lot of stuff from the old days. :)

    Do it for metalvps 👀

    Thanked by 2Not_Oles yoursunny
  • I wonder how Frantech is coming along with Namecrane?

  • yoursunnyyoursunny Member, IPv6 Advocate

    @zcorps said:
    i think namecheap is best

    Maybe.
    I have their shirt.

    should not move domains just to save few dollars

    Saving from this transfer was $14.46.
    If this saving is unimportant, why does people PMS when they miss a VPS deal that saves less than this amount?

    you twitting etc so that users knows why your website is down , well if you have such big user based that they need to be notified then it mean u will be earning a lot

    My push-ups site has more viewers and fewer servers than this guy:

    30 nodes

    There's no advertisement so there's no earning.
    It's all about fame and glory.

    @Swiftnode said:
    Cloudflare is also a registrar now, and they offer domains at wholesale prices

    Yes, but the price I got this time is cheaper than Cloudflare Registrar.

    Thanked by 1ralf
  • interested in the push-ups

    Thanked by 1yoursunny
  • @yoursunny said:

    @jahrinc said:
    Too much hassle to save $14

    CheapClub is a weird place.
    We can spend $30 on lunch, but want to squeeze $5/year on a server or a domain.

    See also: three rules of CheapClub by @jmaxwell

    You need to leave the government sector and go private sector making a couple hundred K a year and then when you have no time, you'll never think of sinking hours of your time to save $10. On second thought, I take that back. You're hardcore into the push-ups.

    I thought it was funny that www.cs.arizona.edu was blocked by nextdns for being on an NSABlockList.

  • @Not_Oles said:

    @yoursunny said:

    @Boogeyman said: After GDPR registrars can no longer get any information about any admin(tech,billing,registrant,admin). So listed privacy provider is the actual registrant!

    In other transfers that I performed within past two years, the new registrar would let me enter the domain owner and contact information as part of the ordering process.
    As soon as the domain is transferred into the new registrar, the information I entered becomes the owner.

    One.com is the only registrar I encountered that adopts whatever displayed in WHOIS as the domain owner and contact, and restricts me from editing it directly in the control panel.

    Reading this makes me think of removing the privacy protection for my domains. Without privacy protection the old and the new ownership data would remain the same instead of changing from Privacy Something, LLC to Corporation for Something Privacy, Inc.

    I liked whois in the old days. It was fun to see who owned the sites. Well, I like a lot of stuff from the old days. :)

    I look forward to @yoursunny's push-up videos becoming again reachable world wide very soon!

    Best wishes from Mexico! 🌎🌍

    Actually, no, it should have been to just pay the renewal fee and let the registrar make a few pennies. This story showed that even without the privacy, they fucked with the nameservers causing downtime, regardless.

    It's not sustainable to keep transferring and getting subsidized by the registrars. It's a Kevin Bacon degree away from being an MJJ...

  • TimboJonesTimboJones Member
    edited April 2022

    @yoursunny said:

    @zcorps said:
    i think namecheap is best

    Maybe.
    I have their shirt.

    should not move domains just to save few dollars

    Saving from this transfer was $14.46.
    If this saving is unimportant, why does people PMS when they miss a VPS deal that saves less than this amount?

    Every one of these promos say it's for new service, not for existing services. As in, first time setup and keep paying low price year after year without moving service or lifting a finger to keep saving money. It's accumulating MOAR. What you did is not the same.

  • yoursunnyyoursunny Member, IPv6 Advocate

    UPDATE:
    Shortly after this article was first published, one.com approved the domain owner change request and re-assigned the domain under my own name.
    I updated the name server back to Cloudflare right away, and my websites are fully recovered as of this writing.
    According to UptimeRobot, total downtime was about 77 hours and 49 minutes.
    Needless to say, I wasted so much time trying to fix my domain, the time that I could otherwise spend doing push-ups.

    Thanked by 1Not_Oles
  • @yoursunny said:

    @zcorps said:
    i think namecheap is best

    Maybe.
    I have their shirt.

    should not move domains just to save few dollars

    Saving from this transfer was $14.46.
    If this saving is unimportant, why does people PMS when they miss a VPS deal that saves less than this amount?

    you twitting etc so that users knows why your website is down , well if you have such big user based that they need to be notified then it mean u will be earning a lot

    My push-ups site has more viewers and fewer servers than this guy:

    30 nodes

    There's no advertisement so there's no earning.
    It's all about fame and glory.

    @Swiftnode said:
    Cloudflare is also a registrar now, and they offer domains at wholesale prices

    Yes, but the price I got this time is cheaper than Cloudflare Registrar.

    oh 14.46 dollars are a lot , i thought u might be saving under 2$ not more than that , well put some light on it how u saved 14.45$ lol. currently am paying i think 14$ for year for com domain. so am planning to migrate somewhere else as they signup me on i think 9$ a year and namecheap increase signup when u renew domain. so any suggestion for cheap renewal like under 9$ ? and registrar have good reputation in updating their dns records quickly like namecheap

  • yoursunnyyoursunny Member, IPv6 Advocate

    It's been 60 days since ndn.today was last transferred, which means I can transfer the domain again.
    I moved it to NameSilo LLC, which I have used several times in the past.
    NameSilo control panel is quite ugly, but they have all the essential features and none of the weirdness.
    Transfer pricing for .today TLD is $14.99 including one year renewal.

    I can't find how to transfer a domain away from One.com registrar.
    It's not in their help center or anything.
    When I asked in chat support, Mr Support Robot offered to send me the Auth-ID / EPP code, and then it's smooth sailing from there.
    Moreover, One.com does permit accelerating an outgoing transfer by pressing a button.

  • SaahibSaahib Host Rep, Veteran

    You are doing it just because its fun.. right and not for saving money or you have 1000s domains ?

    Thanked by 1yoursunny
Sign In or Register to comment.