Registrar Protocol Change Could Bring More Security to Domains

By Larry Seltzer  |  Posted 2006-10-22 Print this article Print

Opinion: A big red switch in the registrar system gets thrown later this week. Let's hope the registrars are ready.

You may not have noticed, but major changes are being implemented in the domain registrar business. As the operator of the .com and .net registries, VeriSign is the hub through which all domain registrars must operate. They do so through a set of software protocols. On Oct. 28, the old protocol, RRP (Registry Registrar Protocol) will be "deprecated" in favor of EPP (Extensible Provisioning Protocol). Its also in place for all .org, .biz, .info, .us, and .cn domain names.

This process has been underway for many years. ICANN (Internet Corporation for Assigned Names and Numbers) began requiring the use of EPP with the introduction of the 2001 un-sponsored top-level domains. VeriSign deployed EPP on June 25, 2005. Since then, it has been running both protocols in parallel. But the day is coming very soon when VeriSign will actually shut down the old RRP system. Is the Internet ready?

Theres more evidence that the domain registration system is failing to serve the publics interests, and its going to get even worse. Click here to read more.

From the point of view of users, the only important change is the addition of a security step for domain name transfers from one owner to another. With EPP you will need to obtain a special key, a kind of password, from the losing registrar, which refers to the registrar from which the domain is being transferred. You will need to provide this key to the gaining registrar. Its a six- to 16-character code assigned to the domain.

Because you will have to log in to your account at the registrar that holds the domain in order to get the key, many forms of domain theft are frustrated by this key. Not all of them, of course. But the sort of domain theft where someone initiates a transfer and it goes through because the real owner doesnt check his e-mail is largely blocked by this feature, because you have to be able to contact the registrar of record on the domain and convince him youre the owner.

I already ran into this problem myself about a month ago when I transferred a domain from 1&1, a hosting service that also does domain registration, to PairNIC. PairNIC demanded that I supply the "Transfer Authorization Code." Huh? Id never heard of that before, and Ive transferred a few domains in my day.

It took me a while to learn from the PairNIC guys that theres a new system in place and that I had to get the code from the other registrar—the "losing registrar" in domain name parlance.

I went back to 1&1 and looked for it and once again it wasnt easy. 1&1 calls it an "Auth Code." Not easy to find, but I found it eventually. I suspect many users will have a hard time with this process, and since it involves transferring domains away from the registrar, perhaps the registrars wont be as helpful as they might be.

So on Oct. 28 when VeriSign throws the switch and turns off RRP support, will all registrars be ready with their EPP support, even if its not as helpful to users as it might be? The last word I got from VeriSign about a week ago was that "Today, most .com and .net registrars have cut over to EPP. The remaining few are on the trajectory of finishing by the 28th of October." That means theyre not all done yet. (Are you a registrar and want to implement EPP? Heres how.)

I have to think all the big ones would be; theyd be completely nuts not to be ready by now. On the other hand, there are quite a few fly-by-night and otherwise shady registrars out there, and they might not be ready, but you dont want to be doing business with them anyway.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog. More from Larry Seltzer
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel