Verisign Registry Lock Service can help ensure that .com, .net, .tv, .cc and .name domain names do not get hijacked.
As a result of recent high-profile DNS hijacking incidents, Verisign is providing some additional information about its Registry Lock Service for domain names in .com, .net, .tv, .cc and .name. There is a tremendous amount of coverage in the media about these types of DNS attacks, and it is important that organisations and individuals with domain name registrations understand the difference between various levels of domain locking.
What is Verisign Registry Lock Service?
Verisign Registry Lock Service can help ensure that .com, .net, .tv, .cc and .name domain names do not get hijacked. Domain name hijacking occurs when an attacker gains unauthorised access to registration data for a domain name, thereby gaining administrative control over the domain that enables them to modify several elements of the domain, including the website to which the domain resolves.
Since Verisign is the registry operator for .com, .net, .tv, .cc and .name, only Verisign Registry Lock Service can offer this type of Registry-level protection for these domains.
Why is it important to lock a domain at the Registry level?
Registry-level locking of domains provides additional levels of authentication between the Registry (Verisign in the case of .com, .net, .tv, .cc and .name) and the registrar of the domain name. If an end customer requests a change to a Registry Locked domain, an authorised individual at the registrar must submit a request to Verisign to unlock the domain name. This requester is then contacted by Verisign via phone and required to provide an individual security phrase in order for the name to be unlocked. This “out-of-band” step protects against automation errors and system compromises.
How can I make sure my domain is locked at the Registry Level?
Our Whois lookup tool will enable you to check if your domains are locked at the Registry. Type your domain name into the Whois lookup bar. In the results, there are up to 4 “Status” fields: Delete, Renew, Transfer and Update. Delete, Transfer and Update are the critical statuses for locking your domain name. Using Update as an example, if the status for Update says “serverUpdateProhibited” then your domain name is locked at the Registry level and cannot be unlocked (and therefore changed) without “out-of-band” authentication between Verisign and your registrar. This “Server” and “Prohibited” status must appear for all three statuses (Update, Delete, Transfer) for the name to be on Registry Lock.
If the Whois results for your domain name ONLY indicates “clientUpdateProhibited” this means that your domain name has been locked by your registrar, but not at the registry. This registrar locking may still leave your domain name vulnerable to the type of malicious activity seen this week. If your Whois results show both “client” and “server” status as “Prohibited,” your domain names are locked.
Here is an example of the Whois results for a Registry-level-locked domain, with the key statuses highlighted: