Christopher X. Candreva wrote:
This is where I'm really getting confused. You seem to defend the current "transfer without explicit approval" method.
There is no such thing. Transfers don't happen without explicit approval. Unless a spectacular failure unrelated to the transfer policy occurred, the gaining registrar in this case believed that they had obtained explicit approval from the domain name holder.
What you're talking about is that transfers can now go through without a SECOND explicit approval at the losing registrar, too. Many registrars (including Tucows) didn't ever require a second approval, so nothing has changed for them. Some registrars did require a second approval, but there's no reason that a second approval couldn't be forged just like the first one, if that's what happened.
The most common method of hijacking domain names has been to gain access to the administrative e-mail address, either by guessing the password used at the domain registrar and changing the contact address, or by guessing the password to the e-mail account in question, or by "recycling" an outdated address at a mail service such as AOL or hotmail. If a hijacker does that, requiring a second approval makes no difference.
> Yet you also seem to be saying
locking domains should be a matter of course, which negates the whole thing, brings back the original situation, but just adds an additional step.
Well, locking the domain name prevents certain types of hijacking (but not all): for example, it prevents hijacking by someone who forges documents sent to a new registrar. If you have no intention of transferring your domain name, locking it is a good idea, just as locking your house is still a good idea even though it doesn't stop every type of burglary.
But locking the domain name certainly doesn't bring us back to the original situation with an additional step. The original situation was horrible: it was difficult to transfer domain names from certain registrars because they would often claim the owner didn't respond to a second transfer approval request that the owner said he or she had never seen. The "locking" solution allows domain owners to make sure the current registrar isn't able to make transfers more difficult than they should be (for the most part), and I can testify that it has in large part solved what was a huge, huge problem.
Anyway, time will tell what the true situation is here. It's always possible that something new and scary has happened. If I had to lay odds, though, I'd guess that the true cause of this problem turns out to be something much more prosaic than some of the panicked (no pun intended) suggestions here and on NANOG. Don't forget that domain name hijackings happened under the old transfer system, too. If someone guessed the password to the panix.com Dotster account, or the password to the admin contact's e-mail address, that would be all it would take under either system. (The fact that a message from Panix indicated that locking had been turned off for three domain names at two different registries seems to make this hypothesis more likely than the "forged documents sent to the gaining registrar" or "registry hacked" hypotheses.)
-- Robert L Mathews, Tiger Technologies
