What are locked domain names technically?

Locked domains are domains which require additional hoops be leapt through in order to change ownership. The lock is requested by the owner of the domain and implemented by the registrar of the domain.

Historically, transferring ownership of a domain required something like one of the authorized contacts faxing in a signed paper. And, believe it or not, there were people out there who would fraudulently sign papers and fax them in so that they could steal the domain. It's called Domain Hijacking and during the dot-com era it was a reasonably large problem. It happened to my company around 2000 and it took us months for the lawyers to convince Network Solutions that the domain had been fraudulently transferred and that it should return to us.

Domain locking means that the registrar must unlock the domain before making changes, and that therefore they are triggered to apply extra scrutiny to the transfer. Some might argue this merely makes them "do their job"...

The law of unintended consequences means that domain locking became a weapon in the registrar wars. As new registrars came online and tried to capture business from the (more expensive) older registrars, domain locking was urged upon domain owners with the unstated goal of making it harder to hop from one registrar to the next. Every domain registered at Network Solutions "comes with the free Domain Protect feature enabled," for example.

Your biggest question seems to be is domain hijacking an important threat?

Yes, but relative to the value of your domain. For example, "sex.com" was an attractive and lucrative target (link goes to article, not named domain). Other domains would have lower value.

Update

I was unable to find a way to query ICANN to find out which TLDs support domain locking, but I was able to find this (very comprehensive) list on a registrar site which indicates that .co does support domain locking:

.co TLD info from OpenSRS

And, if you go to the .co whois server, you can see that locking attributes are listed for their domains:

Whois details for cash.co

For at least two of the TLDs listed as not supporting domain lock in that list (.cn and .uk), I pulled up whois details for a couple domains and did not find any indication of EPP status codes that would indicate domain locking. (As a negative inference, that's of limited use, but it beats contradiction).


TLD locks were created to prevent the following:

> Modification of the domain name, including:
> Transferring of the domain name
> Deletion of the domain name
> Modification of the domain contact details

As per "Registrar Lock" status codes. It benefits companies who pay for it as a service (e.g. stop someone from doing ANYTHING to a domain unless authorization was PROVEN), and has been used by law enforcement agencies, and registrars to take over domains associated with malicious actions (e.g., malware, APT like threats, and so forth). The main purpose of the lock was to prevent hijacking and slamming. See ICANN on this. It has also been abused by some registrars, e.g., Register.com used to place a lock on your domain like it or not (unsure if they still do). Unless the lock was removed, you were forced to keep re-registering with Register.com ($35.00 per .com once upon a time) versus transferring to a lower priced registrar. Alas, as answered it was mainly created to protect a domain owner from losing their domain.

EDITED FOR CLARITY / LOGIC

A registrar lock does NOTHING against "taking over a domain" if the original poster meant to ask: "Will a registrar lock stop me from taking over the domain?!?!" (where by taking over, the OP meant hacking). And I quote: "I don’t know if it would allow takeover" What are you trying to take over? The domain? Or the server the domain is on. Two different things. Registrar locks do NOTHING on the technical side of the equation. They do not protect a domain from being "taken over" if say there is a PHP vulnerability. The registrar locks only works between RIRs and offer ZERO protection from technical vulnerabilities.


A transfer lock means that the registry (eg .co, .eu etc) will not transfer the domain, and will not release transfer codes either. Transferring using a code will not work either. To release the lock, you would have to go into the domain admin panel, using the authentication solution that the registrar is using (for example: One time codes) and remove the lock. Then transfer can proceed as normally. Manual intervenion is only permitted if a registrar locks a domain to forcefully keep a customer (which is disallowed by ICANN)

However, there is locks that always require manual intervenion, and those can be indicated the same way in whois, so the public cannot see what type of lock is imposed. Those locks are for example when theres a ongoing dispute on the domain, or if a domain is locked due to abuse (ex: Phishing), or if a court decided the domain should be locked/seized

clientUpdateProhibited is another type of lock, that normally requires human-intervenion. Its a lock you cannot apply through your registrar control panel.

Tags:

Dns

Protocols

Epp