Problematic flaw in .co.za (EPP) transfer process

[Frikkadel]

Is this process sound regarding human error? If it's accidentally moved to another account can it be retrieved without long stories? I was dealing with a registrar that was using a intern to do their support.

Eish. Support is one of the key differentiators between you and your competition. The ticket trail will have all the necessary information available to verify any retraction.

For security I'm assuming you do this only do this for a request ticket that originates from the client area? I know its pedantic but I run a tight ship.

Exactly. You need to log the ticket from the account owning the domain.

 

[Jade @ Absolute Hosting]

The best method of handling a push would be as follows

Owning ZA Domains Reseller initiates a transfer to push the domain over to Gaining ZA Domains Reseller using the domain name and Gaining Resellers account number
At the time of initiating the push the Owning ZA Domains Reseller Confirms the transaction.
Once confirmed the gaining ZA Domains reseller receives an email requesting confirmation of the push, and only this has been accepted will the push proceed.

An email confirming that the push has been sent to ZA Domains Reseller XXX is sent to the owning Reseller for proof and record purposes.

I hope this suffices.

 

[NullHypothesis]

NullHypothesis

I see that *most* of your queries have been answered - apologies for not jumping in sooner. I had typed a few paragraphs an hour ago but did not respond in time.

With regards to the domain push which you suggested, I have added this to the list of features to be implemented. With regards to security, we'll ensure that the reseller or registrar initiating the push has the ability to withdraw the push after it has been initiated.

The push would apply a contact update after accepted which as you know locks the contact and domain for a period of 5 days unless the pending update is cancelled and resumed.

Hi Jade,

Contact updates do not lock the domain object for 5 days, only the contact object. If you are locking the domain up for 5 days when doing a contact update, then you might want to re-evaluate your code.

Murmaider maybe I'm a bit slow but are you not comparing different things or taking out of context? Jade is talking about a feature that does not exist yet. And talking about a internal transfer at the same registrar. She mentioned that as part of the push functionality. Maybe they want to apply that policy with their company's (yet to be added) push functionality?

Murmaider, I was a bit slow there but didn't Jade mean after the domain is transferred over? Within five days the new registrant details will reflect. Are you saying that within this period the default behaviour at the new registrar should not be to lock the domain during this period? Is this regardless whether the new registrant requested the domain to be locked or not? The default setting is usually set to lock at some registrars when initiating a transfer (at the winning registrar). Do you guys mean that during this five days it cannot be unlocked? And if the person chose not to lock the domain at initiation, the domain will reflect as locked for five days and then will revert to unlocked after five days? Or do you simply mean it cannot be transferred out again in the first five days?

 

[Murmaider]

So you are telling me that during that five days the only change on the whois is that of the "1c. Registrar"? And changes to nameservers is subject to "standard" times during this period. Is this correct?

Once a domain transfer has happened, the Registrar is updated immediately.
Then nameserver update is sent by the gaining registrar and either completes immediate after the Nameserver check, or fails immediately after the nameserver check.
Then a contact update is sent to the registry on epp and pends for 5 days.

Nameservers are linked to the domain object, not the contact object.

I get that but it’s not rocket surgery to implement this. Are you of the opinion (used to dealing with the bureaucratic nature of the registry) that it won't happen anytime soon?

It is actually harder than it seems. EPP is an RFC standard - https://tools.ietf.org/html/rfc5731
The RFC's do not make provision for requesting email address to be sent in an epp transfer call and it would not be within their best interest to break the EPP RFC's.

One possible solution would be to let the registrars send these accept/decline emails, but that will never happen since they can not ensure that every ZACR registrar complies with that.

Murmaider, I was a bit slow there but didn't Jade mean after the domain is transferred over? Within five days the new registrant details will reflect. Are you saying that within this period the default behaviour at the new registrar should not be to lock the domain during this period? Is this regardless whether the new registrant requested the domain to be locked or not? The default setting is usually set to lock at some registrars when initiating a transfer (at the winning registrar). Do you guys mean that during this five days it cannot be unlocked? And if the person chose not to lock the domain at initiation, the domain will reflect as locked for five days and then will revert to unlocked after five days? Or do you simply mean it cannot be transferred out again in the first five days?

What I'm saying is that by doing a contact update (adhoc or after a domain transfer), ZACR does not lock the domain for 5 days. Nameserver updates can be performed on the domain (or domain object) while there is a pending contact update on the contact object.

No registrar can lock a co.za domain (or place the clientTransferProhibited status on a .co.za domain). By locking I am referring to ZACR's pending events on a domain name or contact information.

Edit : Jade is a guy btw

 

[Jade @ Absolute Hosting]

No registrar can lock a co.za domain (or place the clientTransferProhibited status on a .co.za domain). By locking I am referring to ZACR's pending events on a domain name or contact information.

NullHypothesis may be referring to the lock feature that we have on our platform - this sends a Registrar Deny vote at the time of receiving a transfer request if the domain is marked as locked.

Edit : Jade is a guy btw

She mentioned that as part of the push functionality.

She with a husky voice and a hairy chest

 

[NullHypothesis]

No registrar can lock a co.za domain (or place the clientTransferProhibited status on a .co.za domain). By locking I am referring to ZACR's pending events on a domain name or contact information.

There must then be a difference of interpretation if even your client area has a "Registrar lock status". No such thing exist?

By locking I am referring to ZACR's pending events on a domain name or contact information.

But when there is a pending contact domain information change that domain can still be transferred to a new registrar. It will give you a "Status Contact update pending" in your (winning) registrar client area. But its there and not prevented from moving.

But we are kind of going off topic.

Edit : Jade is a guy btw

Maybe you just want to catch out a competitor?

She mentioned that as part of the push functionality.

She with a husky voice and a hairy chest

I went through all my replies to make sure it was gender neutral I seem to have missed one.

NullHypothesis may be referring to the lock feature that we have on our platform - this sends a Registrar Deny vote at the time of receiving a transfer request if the domain is marked as locked.

They also have it.

 

[Murmaider]

She with a husky voice and a hairy chest

Story of my life man

NullHypothesis may be referring to the lock feature that we have on our platform - this sends a Registrar Deny vote at the time of receiving a transfer request if the domain is marked as locked.

A registrar sending deny is completely useless and carries the exact same weight as sending nothing.
I don't know if I would call it locking.

If there is a transfer request for a domain and:
- You as a registrar do nothing and the registrant does nothing, the domain transfer fails.
- If you send a Deny as a registrar and the registrant accepts the ticket - the domain transfers.
- If you do nothing as the registrar and the registrant accepts the ticket - the domain transfers.

There is no actual locking of the domain here, the truth table in the ZACR Policies gives full control to the registrant and the only time the registrar has any influence is if the Registrar accepts a transfer and the registrant rejects it the domain will still transfer away.

https://www.registry.net.za/downloads/u/CoZa_Published_Policies_and_Procedures.pdf - Point 9.3

A registrar CAN NOT prevent a domain transfer of a .co.za domain.

There must then be a difference of interpretation if even your client area has a "Registrar lock status". No such thing exist?

WHMCS is assuming that all registries support the clientTransferProhibited (since 99.9% of them do). But now that you mention it, I'm sure we can go ahead and sniper that out of the drop down, thanks for that. ZACR does not support domain locking on any *.za ccTLD. There is no way to prevent a .co.za domain transfer request.

But when there is a pending contact domain information change that domain can still be transferred to a new registrar. It will give you a "Status Contact update pending" in your (winning) registrar client area. But its there and not prevented from moving.

Yes, some registrars assign an entirely new contact object to a domain object whenever a contact update is done. In doing so it prevents any further updates from occurring on the domain for 5 days. Very silly I know.

 

[NullHypothesis]

But now that you mention it, I'm sure we can go ahead and sniper that out of the drop down, thanks for that.

I will be invoicing you as per my consultation fees. And for the two occasions I had domains erroneously renewed at Domains.co.za (R59 & R75).

I get that but it’s not rocket surgery to implement this. Are you of the opinion (used to dealing with the bureaucratic nature of the registry) that it won't happen anytime soon?

It is actually harder than it seems. EPP is an RFC standard - https://tools.ietf.org/html/rfc5731
The RFC's do not make provision for requesting email address to be sent in an epp transfer call and it would not be within their best interest to break the EPP RFC's.

One possible solution would be to let the registrars send these accept/decline emails, but that will never happen since they can not ensure that every ZACR registrar complies with that.

The problem is how it is implemented, and there is no one really competent (with enough influence) to guide the people that are making these decisions. The majority of "registrars" in South Africa are two-bit hack job outfits with vanilla WHMCS installs just going with the flow.

 

[Jade @ Absolute Hosting]

If there is a transfer request for a domain and:
- You as a registrar do nothing and the registrant does nothing, the domain transfer fails.
- If you send a Deny as a registrar and the registrant accepts the ticket - the domain transfers.
- If you do nothing as the registrar and the registrant accepts the ticket - the domain transfers.

- If you do nothing and the registrar accepts then the transfer completes after 5 days

The feature is there because it has been requested and serves its purpose well.

NullHypothesis - if you are using our platform and need the push feature setup then please send me your ZA Domains username via PM or alternatively pop us a mail mentioning the feature and I'll gladly arrange this for you and let you know once done.

 

[Murmaider]

- If you do nothing and the registrar accepts then the transfer completes after 5 days

The feature is there because it has been requested and serves its purpose well.

Agreed, but the locking isnt about the registrar accepting the transfer, but rather denying it.

What I'm saying is that whether a deny is sent by the registrar or nothing is sent it has the exact same value on the truth table.
So as a registrar, simply ignoring the transfer request and doing nothing, is implicitly a default deny vote.

 

[NullHypothesis]

So as a registrar, simply ignoring the transfer request and doing nothing, is implicitly a default deny vote.

This much is obvious its how its always been and rightfully so.

Agreed, but the locking isnt about the registrar accepting the transfer, but rather denying it.

What I'm saying is that whether a deny is sent by the registrar or nothing is sent it has the exact same value on the truth table.

Yes but what is causing the confusion??? The vanilla WHMCS installs. That "lock" does nothing. It is like a Zimbabwean coin.

 

[envo]

NullHyptothesis, you were chosen for our free blue pill promotion

 

[Domains.co.za (Wayne)]

I will be invoicing you as per my consultation fees. And for the two occasions I had domains erroneously renewed at Domains.co.za (R59 & R75).

@NullHypothesis, as Dave (Murmaider) mentioned in a previous post, please can you PM either of us your account details and we will gladly process a refund of the 2 erroneous renewals.

-Wayne

 

[NullHypothesis]

As for your initial observation, depending on who you're using as a registrar, they implement this safely. The transfer request from/who does get emailed to you beforehand. But since this is an API implementation, and not everyone would have the feature, I'd assume it's specific to the registrar you're using and you can contact them specifically to suggest this feature or move to someone who has this.

You still haven't revealed who the fabled registrar is with this ability.

 

[calvin-]

Essuming EPP to EPP xfer.

The registry has zero idea of who requested the xfer of the domain object (other than the initiating registrar), and as such can't include it in an email.
The registrant object is copied to a new registrant object owned by the new registrar on successful xfer.
There should be no need to update the registrant object after an xfer.
The 5 day waiting period for registrant object updates is designed as a protection for the registrants - if they don't like the update they can fight with their existing registrar, or xfer to a new registrar, which negates that update.

<if you want an official ZACR position, you're going to have to talk to someone else>