633 points by richeyrw 8 months ago
I recall a time when a company I had association with lost their main domains due to a failed renewal. In this case it was a long-term employee who left the company that had loads of company bills going to his card. He cancelled the card sometime after he left and the domains were not renewed. I’m not sure where the renewal failure emails were going but probably some unmonitored admin email box.
These were very important domains. Without them, this $1 billion+ company immediately lost all of its ability to generate revenue. It was quite shocking.
The problem was discovered when users started getting the registrar’s landing pages rather than the company website pages. It was fixed relatively quickly once identified but do to DNS propagation took about 48 hours for complete resolution. During the window unrecoverable revenue well into the hundreds of thousands was lost.
It seems to me that a domain renewal is always a risk, even with a highly reliable registrar. A good defense is to limit the renewals for important domains by registering them for as long as possible (10 years). Even then you have a weak spot because your credit card will be expired by then so you should back that up with a calendar reminder a few months prior to renewal to make sure everything is set.
> A good defense is to limit the renewals for important domains by registering them for as long as possible (10 years)
This is an interesting take. I prefer the opposite approach: choose the shortest possible registration window (1 year), and have a very clearly defined, properly-documented renewal process that multiple people at the company understand. It's unlikely that all of those people leave the company in a 1-year window, so the knowledge gets passed on reliably.
If a renewal happens only once every 10 years, then it seems very likely that the person responsible for it has moved on, knowledge around the process is lost, and at best the documentation is very out-of-date (but more likely it's missing).
My process is to have a shared calendar for these high-risk renewals. Top company officers should be on this calendar (CEO, CTO, and some engineering VPs). The calendar contains recurring events for domain and SSL cert renewals. These calendar events are set up for about 1-month before the actual renewal, and fire reminder emails at several intervals beforehand (in case people are away or on PTO).
Why not renew for ten years, then every year extend it by one more year. Best of both worlds and if something screws up, you have 9 more years to fix it.
Ceremonies that aren't critical have a higher likelihood of being skipped, forgotten or ignored...
While this statistically might be true, I believe that this is completely dependent on one's personality. Having extra chances to remedy a trouble (which, as can be seen from the article, may occur due to reasons completely out of hand) has notable benefits, such as eliminating such prolonged downtimes.
It is like having replacement toothpaste ready for your bathroom. It is such a nuisance to go out and buy it on the day it runs out, and more likely to have a day without if you do not keep replacements ready.
Is it 10x more likely that a systematized annual renewal is going to fail if the domain name has been registered for 10 years already?
It would be hard to make the case for 2x, but 10x?
This feels like a solid way to do it.
LetsEncrypt chose 3 months. Maybe that’s a hint for us that frequent renewals are better.
No, for SSL certificates there's value in having a short expiry. For example if the private keys leak. There's no value in having a domain name (that you want to keep) expire.
The value is in forcing you to keep it in mind. You don’t forget about things you have to do every 3 months as easily as something you have to do every 10 years.
If your logic is sound, then explain why I forget to refill my medication on time which I do monthly, but I don’t forget to renew my domains?
You’re comparing apples and oranges. Do you more easily forget a password you use everyday or one you use once a year?
I personally found a period of 1-2 year to be the absolute worst. On the next cycle the man is gone because it's past the average tenure. The emails about it were lost or auto deleted. Any documentation or process is useless because the company or the supplier has changed.
To have a process be remembered, make it monthly or quarterly.
This is why it's important to use job scheduler software, admined by a NOC, to generate your own internal reminder emails set for a specific date and time in the future. The process of renewing a domain or buying anything that requires renewal should include a step to create the future reminder job.
This is vastly more powerful than you need to simply call a shell script which generates SMTP email to your email@example.com address, but can serve the purpose:
You can use this for all sorts of things like maintenance notifications, automated emails to a facilities group on N schedule to change air conditioning filters, whatever needs to occur on a specific recurring time schedule.
It's also important that these notifications are sent to an address that is permanently assigned to a role, e.g. firstname.lastname@example.org, rather than to any particular person, e.g. email@example.com. Steve might not be there the next time those domains come up for renewal.
The same rule applies to any email address that you use to purchase and renew domains and other critical services. If renewal emails are being sent to someone who doesn't work there anymore, something is very wrong.
How can you make domain renewals be monthly or quarterly?
The monthly process isn't necessarily to renew domains - it is to assess the situation to see if there are any that need renewing soon. Many months nothing will need doing, a couple of months per year something will need action.
Even as a small company we have a number of regular infrastructure reviews. Most of the time we just go through the review, find nothing has changed unexpectedly and no new ideas need bringing to the table, we sign off to say all looks well, and the prices takes very little time. Some of this is automated: scripts collate and report information for signoff and we humans verify the result and take actions as needed (in some cases the action needed is to update the script(s)). This may seem wasteful, but a couple of people spending a couple of hours total per month on such checks can save some nasty surprises in future.
Domain status checks is one of the things that gets reviewed.
If you have multiple domains you could renew them at seperate times.
Has the advantage that a failure might not be so disastrous either.
Only if you had the foresight to register them at different times, right?
Not necessarily, most registrars will let you renew for a full year or more at any time. Buy both on the same day, set a reminder or open a ticket to renew only one domain in 3/6 mo.
Also, get a registrar with an API and use a script to figure out how long a domain is valid. Alarm through your monitoring system when you hit the too close for comfort time frame.
You can scrape whois as well but that seems fragile.
We had this same argument about certificate expiration on a code signing project I worked on.
I maintained that having to remember to renew a cert every September was more likely to stick with someone than 18 months or two years. It also keeps your blacklist smaller because dead ones age off faster.
I don’t recall how it ended up but we added automated reminders every 30 days starting three months before expiry.
You could do both. Register it out ten years and each your register an additional one.
10 years sounds a bit inflexible for me. Things can get a little weird if you switch registrars but you have more than 9 years left on your domain so you can't get a full additional year.
I do try to maintain a margin of at least 3 years on important personal and business domains, though.
Less than 37 months left = immediate attention required.
> choose the shortest possible registration window (1 year)
Registering domains for only a year at a time will negatively impact your email reputation.
Probably late to this party but at my employer we have a contract with MarkMonitor under which domains are auto-renewed and then we are invoiced for the cost.
The advantage of this is that domain renewals are not broken by payment problems. Payment problems produce a failure state of "domain got renewed, the vendor is harassing us about an invoice"--which is much preferred to "domain did NOT get renewed, our site is down until we update our credit card." It also helps mitigate the "crucial employee departed" problem, since MarkMonitor won't just give up on an unpaid invoice... they will escalate if they don't get paid.
Of course as a matter of practice we always have multiple people with access to the dashboard, but if all those people got kidnapped at once, the domains would still renew.
I recognize that MarkMonitor is more expensive than Namecheap or GoDaddy or whoever, but I also bet that a lot of successful companies that are super reliant on their domains have never called for pricing. I don't work for a mega-corp; we're a nonprofit. And who knows, maybe other registrars may be willing to offer a similar payment structure.
(I'm not affiliated with MM in any way--just a happy customer.)
Personally, I'd rather have a corporate domain be renewed once per year and have a defined process for it (e.g. literally have a binder somewhere listing all the details, and put reviewing it on a checklist of other yearly legal and financial tasks) than have it be forgotten about for 10 years at a time.
I've set it up before to have 10y which is the max, and renew for 1 year every year. So the domain always has a lead time of 9-10 years but it is still renewed once a year for practice. for most domains thats like 100 bucks to lock it down for 10 years. You can also monitor the domain expiry in your monitoring system i.e. nagios or whatever you are using.
Thanks, I learned the hard way. =)
How does one set that up? Im using gandi and didn't know this was possible.
Buy 10 years of registration initially, then each year set yourself a reminder to extend this by one year. It's not automagical.
That said, with Gandi, you can just set it to auto-renew, which works pretty well.
The problem with relying on auto-renew is that, sooner or later, your credit card will expire (or the employee who was in charge of the domain will be gone) and the renewal will fail. The account needs maintenance one way or another.
If you’re in SEPA, use SEPA direct debit instead. As long as the bank account exists it’ll run on forever.
No, the problem isn't auto renew, the problem is using unmonitored automation.
Makes sense it is a bit like having a fire-drill
>> registering them for as long as possible
To clarify, you can register them for 100 years, not 10 years. Network Solutions offers the 100 year renewal.
While 100 years or even 10 isn't for everyone, I do still agree: register them for as long as feasible.
This is why -generally- there is a period after the domain expires in which it is locked and cannot be purchased by anyone other than the previous owner. Just in case someone tries to squat. There are a few registrars that do this. I've seen it (squatting) happen more to small businesses, because even if their site it showing the landing page they might not notice it until a month later and by then it has been released and squatted. Bigger companies with lots of traffic would usually get a notice from a customer or internal employee that the site is down. This is my experience at least.
John Lewis (the big retailer, not the politician, and not http://twitter.com/johnlewis) forgot to renew the domain of one of their services just this week: http://www.bbc.co.uk/news/technology-44108830
More mature companies usually keep a contract calendar where they aggregate important dates for all signed contracts.
Funny thing about domain renewal is that it’s so inexpensive that it can fall through the cracks and not get on the calendar.
Could be useful to think of all the little deadlines that cause risk and use a single process.
Personally I recommend adding domain expiry checks to your monitoring system. Same with SSL certificate expiry.
Seems like an opportunity to me: makedamnsureirenewmydomainname.com
They got lucky, because if it were me and I left on mild terms I would be invoicing them $50k a year to renew their domain.
You are lucky, because if I ran that company I'd haul your ass in court so quick you wouldn't know what hit you.
The fact that you can doesn't give you a right to do so and in this case it is pretty clear that you would be acting maliciously.
I've seen such 'tricks' up close a couple of times and judges tend to take a very dim view of this kind of behavior.
Good luck proving I have any connection to the company in the foreign country sending you the invoice.
Also, if payment isn’t received within 30 days you can expect to see the domain forwarded to a “for sale” page.
And given how fast the legal system moves especially across international borders, you will lose hundreds of millions in revenue before getting any kind of verdict, possibly even go bankrupt.
Wow, breach of contract, theft and extortion all in one convenient package!
Who says technology doesn't have a sociopath problem
Could you do an AMA once you get out of jail? I'd love to see how this all turns out for you. You seem to be the kind of person who just makes fantastic life decisions.
Yeah, corporate attorneys and the legal system at large have never dealt with extortionists with your creativity before. I mean, doing it anonymously AND with a ticking time bomb element, only a true master villain could have thought of such a brilliant scheme!
Do check with a criminal attorney before doing any such thing.
“It’s a nice domain you have here, be a shame if something happened to it” sounds cool in the movies, but in the real life it may be treated as extortion and land one in jail.
Domain name dispute resolution policies would find in the company's favor pretty much immediately (due to their trademark rights, and your registration with bad-faith intent), so they'd get it back reasonably quickly one way or the other. :P
Yep, great ransom plan!
1. They do not need to pay you. You have zero chance of getting paid.
2. They can easily identify you as a suspect (even with foreign company or whatever) and the police can investigate further.
So you risk going to jail, with no upside.
To be fair, unless you're a big company I'm pretty confident this could work. I don't know what police entity I'd have to turn to here in Belgium to complain about someone in the US running off with my startup's domain name. You'd need serious lawyers to go after this.
I know everyone thinks police are going to investigate and that I’m definitely going to prison, but the sad reality is they probably won’t and I’d probably never see a jail cell. They might look into it, maybe even setup a sting operation, but then in the end nothing might come of it anyway.
Trust me, I know of a ex-cofounder in a previous who company who took off and disappeared with $175k from the company bank account, and despite our best efforts at getting justice or the money back, no one really gave a fuck, and there wasn’t much we could do unless we wanted to get into very expensive legal battles using money we didn’t have, against a person that was hard to get a hold of and with no guarantee of getting our money back, at least anytime soon (years). It was much more practical to just cut the losses and move on, making sure we could do everything to prevent it from happening again by someone else.
And the truth is this is how it is for a lot of things, the successful cases you hear of are really just a small percent of the crimes. Just don’t pick a fight with someone who has the money and determination to hunt you down to the bitter end. Most people eventually give up. Unless you’re killing people or running drugs, there’s a lot of criminal arbitrage you can get away with due to how slow and how apathetic the law is.
Though I sometimes do think about the price I would have to pay if there was a reckoning.
You’re a little off here.
The Chickenshit Club (that is, federal prosecutors in the last ten years) means that big company management can get away with white collar crime, paying other peoples’ money to make charges go away.
Workers or little people at big companies are still subject to prosecution for white collar crime. And apparently since criminal prosecutions are time consuming DOJ has decided to deprioritize them, so if you commit white collar crime for small dollar amounts you’re also likely to get away with it.
“The Chickenshit Club
Why the Justice Department Fails to Prosecute Executives”
Just don’t pick a fight with someone who has the money and determination to hunt you down to the bitter end.
You're not making any sense. You started this entire thread by talking about how you'd hold this $billion+ company's domain ransom for tens of thousands of dollars per year, so your sad tale of woe about how you couldn't afford an attorney to chase down an embezzler is irrelevant.
I don’t believe I said it had to be this particular company.
The timing of this is an amazing coincidence — I recently “lost” my domain in the same way. I bought it originally on Namecheap but have since transferred all my domains into a singular Google Domains account. My main domain, where I have my personal site and all my important emails, disappeared without notice on Wednesday the 9th last week. No expiration notice sent, no information as to what had happened.
I contacted Google as soon as I noticed and hey have been alright to deal with. Fortunately I am a Gsuite customer. I had to pay a fee to renew and another fee to restore, which was over $100. It’s been in “restoration” mode, ie offline, for days now and I am unable to even touch the DNS records until it’s back. I’ve already lost a week of uptime with zero recourse. FWIW I use a .co domain, and my site was throwing (for 24hrs or so) a splash page saying the domain was suspended.
Eagerly awaiting for it to come back but I’m totally in the dark as to timing.
Did the domain expire, or was there some other issue?
I just transferred some .com domains to Google from Name.com, I hope these expiry problems are limited to non- .com TLDs...
The domain did expire, though I was never made aware of the upcoming expiration. My assumption is that there was some glitch between Namecheap, Google, and the .co domain authority... but I still don’t know exactly how my domain expired so silently. All my other domains were purchased through Google, this one was transferred in.
It really was a massive headache. I have no idea how long it would have taken me to notice (site is my authoritative presence on the web, but is a static personal page — no marketing or sales) and my email is a light trickle of messages by design: bills, bank statements, close personal relationships. Fortunately my brother told me his wedding invite bounced a day after going offline so I could follow up relatively quickly.
I filed a ticket with Google and got first line support within an hour. They confirmed it was still in Googles system. Then I was assigned a Senior Specialist who called me on Monday to confirm ownership. It is now Wednesday and my DNS records are still inaccessible.
If I were you I would definitely set an independent annual reminder to check your domain status, just in case.
I note my domains expiration dates and renew them at least 30 days before.
Your not the only person whose had issues recently with Namecheap not sending renewal emails.
I have the opposite issue with namecheap. I have my domains on auto-renew, and every time they're about to be due for their renewal, namecheap sends me a scary email saying I don't have the funds to renew, and only the next day do they auto-renew my domain.
I had that happen with them, when I first finally decided to trust their system to save my credit card information and turned on autorenew. Support told me it was/is because I have a couple of dollar balance with them from years and years ago, back when something involved making a transfer payment to my balance with them and then executing against that balance.
If you have autorenew set, it first tries to draw against any existing positive balance you have directly with Namecheap. If/when that doesn't work, it then next tries your preferred payment method (e.g. your registered and designated preferred credit card).
I was told if I found a way to clear my couple of buck balance with Namecheap, I'd no longer get the warning email. The first attempt would be against my credit card, which would work, and I'd just get one success email (after preceding "upcoming" emails and all that).
I don't know whether this is correct. It's what I was told by support over chat, IIRC.
OK, I'll investigate that solution when I get a chance. I reported it to tech support a year or two ago and they were fairly confused.
Namecheap not sending renewal emails? I usually get 5-6 notifications when a domain is about to expire, starting 2 months out.
Here it is where the missing notifications that you all are complaining about are gone!
One of the reasons I use Namecheap is because I've had good experiences in this realm. I get domain renewal and WhoisGuard notices a month before, a week before and on the day of expiry itself. Namecheap then always keeps expired domains in a grace period status for about two weeks where I can still renew after expiration.
About a day before they're completely unavailable for renewal, I'll also get an email from CloudFlare saying the nameservers aren't pointing to CF anymore (I use CF for active and parked domains.)
>Namecheap then always keeps expired domains in a grace period status for about two weeks where I can still renew after expiration.
That is standard behaviour for a domain-registrar, when a domain expires. When a domain expires the previous owner can re-register it during the grace period, after that for an extra fee it can be renewed in the redemption-period.
Finally just before a domain is available for re-registration by an unrelated party it will land in the pending-delete state.
Just add onto this, the grace period is normally 10-20 days some registrar's leave the domain working during this time but some take it down. Then it goes into a "redemption period" for anywhere between 25 - 60 days. In the redemption period the registry tacks on a fee that is somewhere between $60 - $200 so the extra fee gets kicked up the chain.
Registrar: Who you registered the domain with
Registry: The company that owns the tld
Yeah, NameCheap is pretty flaky with the warning emails. I once had their WhoisGuard service expire (it was on a different renewal phase from the actual domain, for some reason), and I never received any warnings about the service expiring until they sent an email to notify me that the WHOIS records had been automatically updated.
I've since added a monthly calendar reminder to log in to all registrars and verify all services are still enabled and correctly configured with plenty of time left.
Wasn't Op complaining about Google DNS, not Namecheap? I've never had any notification issues with Namecheap after almost a decade of them managing most of my domains. If anything they over-communicate about expirations and auto-renewals. Auto-renew works well and even after an expiration it's usually easy and fast to get your domain back up.
If you proactively renew instead of waiting for the automatic renewal you can also typically use a coupon to save a little bit of $.
I've used name.com for years and thankfully haven't had any of these issues.
Still domains are so cheap and these horror stories are so common that I realize this can happen with any registrar. There isn't enough publicity over issues like this for people to leave en-mass, so financially I can see this happening. I know one small registrar company and it's like 10 people and they write everything in Perl and run everything in Docker.
Fun thing about name.com. I suggested it to my girlfriend and it turns out they don't require e-mail validation. She mis-typed her e-mail address when she registered, and now she can't get into her account. Forgot password doesn't work because it tries to e-mail an address that doesn't exist. She tried to contact them several times but I don't think the support staff understood the situation.
I've always received multiple emails from them leading up to a domain expiration. Not easy to miss, unless your whois email contact isn't current.
(Google Domains gives you free whois privacy, but they use that contact for notifications)
I get so many emails from Google leading up to and after expiration it's a nuisance. As for parent's issue, I think if you let your domain expire that's 100% on you.
Yeah it's hard to feel bad when they start warning you 90 days in advance
Can I ask why you chose to leave namecheap for Google?
I use Google services for all my domain-connected stuff via Gsuite; that includes Hangouts, Google Drive, Gmail, Google Docs, Google Contacts. On a whim I decided to transfer in the domain. I also use Google Domains, now, to register domains for no specific reason.
There are no features or perks that I know of that compelled me to choose one registrar over the other. It was just a random act.
Idea: Write a Google Script that periodically checks the domain for expiry, then inserts an email directly in your inbox if there is an issue.
We check for domain expiry and then trigger an alarm in the monitoring system when the valid.date.days <= 90
I do this for SSL (<= 30), but I should probably do it with the domain as well.
Can't hurt. =)
This solution is a bit over-engineered, don't you think?
I'm confused, how is it over-engineered?
This is the job of the registrar
Turns out, sometimes someone doesn't do their job, or someone ends up in the hospital, and sometimes weird things just happen.
There are lots of places where we may want redundancy to redund at us.
I wasn't trying to justify otherwise?
If you have to engineer a solution due to problems caused by the failures of those you depended on to deliver the expected level of service then the entire solution is over-engineered.
Over-engineering is when you make something to be more robust than is necessary for it to work successfully. Evidently depending on the registrar actually failed here (just as it has for many in the past), and this will surely happen again in the future. I don't see how making your system robust to failures that actually come up is over-engineering. It sounds more like just plain old engineering. (And I honestly also fail to see what is productive about pressing on with this conversation.)
You don’t pay them to do it. It’s not their job. In fact by default it is nobodies job, it’s just your own responsibility.
The registrar may see it as an opportunity to sell you another year of service but it is not their job.
It's their job. But it's your ass if they don't do it.
That's a horrible situation, and one I'd encourage everyone to try to avoid - register production critical domains with a company that provides live phone support and stick with tried and true TLDs.
Yeah, it may cost more, but this story just illustrates that you're staking your entire company on a $15/yr service, and you get what you pay for.
Even if you want to run your marketing/landing page/etc off a .io or other fancy tld, run your production stuff off a .com or country-level equivalent so your customers aren't left in the lurch if something like this happens.
- edit - punctuation
Even the most reputable tried and true do not guarantee anything. They can and will kick you out on a whim.
You can still mitigate the risk though. Use multiple domains in all marketing materials from different tlds and different registrars. Use regional domains. Have alternative ways to communicate with your customers. It's all very basic stuff. Merely thinking about it gets you far. Most people don't even think about it and blindly rely on centralized services: domain registrars, dns providers, cdn providers, single hosting/cloud provider, etc.
Would you mind providing some details on this approach? Multiple domains in marketing materials sounds like it would create confusion among customers. Are you specifically referring to companies with an international presence? Thanks
I'm thinking international presence.
Airbnb has .com, .de, .co.uk, etc.
If they have some disaster with one, they just lose 1 country instead of the planet.
If there's a problem with .de, some users will be intelligent enough to try .com
And if you lose a ccTLD in a major country, you can focus your legal efforts in one legal jurisdiction.
In practice people don't think about or even look at URLs, that's why phishing works. They recognize sites based on logos and stylesheets and often go to places by googling the brand name and clicking on the first link. If you forward every domain to a primary domain at the DNS level, your pagerank probably won't be hurt by this practice.
to go a step further, adding out of band contact info is a big deal.
Forward firstname.lastname@example.org to email@example.com and give it out in the emergency support info for support contracts Add it to your status page as needed, (which should be running on someone else's service or mycompanynamestaus.com).
Customers that really need your service, like the ones who pay, will check the status page and can update the endpoint as needed.
Make sure your sip lines don't point to mycompanyname.com.
If you publish a client side app, use 2 domain names as endpoints, mycompanyname.com and mycompanyname.io. Have the app or service check for and fail over if one doesn't work.
Make sure paging and technician notification is handled by a system that won't be affected by this. (nothing more amazing then getting 200 pages AFTER you've spent 2 days recovering a total failure of a system. You just want to go to sleep but you have to wait for the email queue to drain since you can't turn your pager off.)
Either way, use 2 domain names, and set them to expire at 6 MO intervals. Buy the domain for 2 years (or more) and renew every year so you always have 1-2 year lead time to sort out issues.
The list above would probably cost about $200/year and a few extra hours but it keeps you from getting backed into a corner. Everything else in our infrastructures has fail overs, and limited blast radius for failures.
We tend to us domain registration as a single point of failure and one one even things about it.
Even if you pre-plan, how many of your customers will think some random e-mail from a totally different domain explaining the situation are not a Phishing attempt? (The percentage that don't .. are probably the percentage with the least security sense).
Perhaps, though, in this situation, the had 2/3 days to make people aware.
Also, if the call customer service and you validate it, then they are only offline for a couple hours not days. Also, you should have a status page or twitter or something out of band that you tell people about the day they sign up. You can update there.
EVERY production service with customers needs an out of band way to update. And you have to build and announce that before you need it.
Indeed, there's a reason large multi-nationals use companies like MarkMonitor as their Domain Register, even if they could get the same for $30/year, the potential loss in revenue and brand damage could be worth tens of thousands.
It is a much harder balancing act for a startup, finding a domain register who is reputable and responsive but not "overly" expensive. Even if your entire business relies on it, $1K+/year just may not be in the cards even knowing the risks.
I haven't used it but Google Domains claims they have telephone support and are reasonably priced. Might be worth people checking out, their Gsuite support has been pretty good.
You don't have to go all the way to $1k+/yr to get much more piece of mind. For well under $100/yr, EasyDNS offers fantastic support.
My go-to example of their customer service philosophy: A number of years ago, there was some problem in the electric grid that resulted in power outages over most of the Eastern US and Canada. In response to just their customer service being unavailable for 1 hr during the much longer outage (their production services were unaffected), they offered me a partial refund without me even knowing what had happened. I didn't take it.
Usual disclaimer: Not affiliated with them in any way other than as a satisfied customer for more than a decade.
Ditto. Very happy with EasyDNS these last 6 years. Had some wierd renewal issue 3 years ago similar to what the OP described but had someone on the phone immediately and the problem was resolved within the hour.
On what basis is your gsuite support -- Google's rep is "amongst the world's worst support unless your spending $millions" ...
Paid gsuite has live 24/7 phone support. I've used 5-6 times over 8 years and gotten 5-star service every single time.
Haven't needed to call them in the past 18 mos. or so, however, and these things can change.
I have gripes about aspects of gsuite itself, in particular how they've removed a few features that I used from the $5/user/mo tier. Had to move to $10 tier to keep email content filtering (ability to use regex to prevent accidental SSN or CC inclusion). The filtering setup is much easier to use now, but the old system worked well enough.
>Paid gsuite has live 24/7 phone support. I've used 5-6 times over 8 years and gotten 5-star service every single time.
I've been a reseller for most of the decade and I can honestly say in all the times we've called, we have never had a single issue corrected by support. We usually end up having to find workarounds for bugs. The last time was an autosuspension our panel(s - there are two versions now) would not let us un-suspend the client. This left him without email for a week, while support would only respond during the early AM hours, and would repeatedly ask us to prove identity, even though we were registered resellers with admin panel access.
In all the years of working with different vendors, I honestly cannot think of a single one with a 0% success rate in their support.
Office 365 is pretty close to that, actually. You need Premier support to get anything useful.
My favorite O365 support story is where first level support dicked around so long with a missing mailbox that by the time they escalated the ticket, their backup had been overwritten. Luckily it was a user’s archive mailbox and we still had their source PSTs, so not a lot was lost.
> Office 365 is pretty close to that, actually. You need Premier support to get anything useful.
I haven't had too much experience with their service support, but their app support seemed decent. I was having an issue with S/MIME signatures not being parsed properly on Outlook iOS. Support chat seemed competent and knew what was happening (no support for S/MIME signatures yet).
Differs by product. I got excellent support for my Pixel.
I haven't found that with any paid Google products. Both Gsuite and Google Adword's support have always been very responsive and easy to reach.
Google support is completely garbage paid or free
For $1000 you could preregister a domain for a century though.
> run your production stuff off a .com or country-level equivalent
In this case technically they did run from a country-level equivalent, .io is a ccTLD.
Granted no one ever appears to use .io for it's original purpose as the ccTLD for the British Indian Ocean Territory...
ccTLD management is delegated to a company in that nation usually. Unfortunately not all of them are equally well managed - I wouldn't consider gTLDs _exactly_ comparable to ccTLDs in this regard. ccTLDs get to differ in pretty key ways from gTLDs, including deciding their own dispute resolution processes (gTLDs all use the UDRP).
Not particularly surprising, as the BIOT's only residents are the US and UK military, since the UK deported the 1500 Chagossians in the 70s.
This is no guarantee. GoDaddy and Google Domains, in particular, have demonstrated willingness to throw you into clientHold hell for political reasons, even for "tried and true TLDs".
I remember last year how Google, GoDaddy and CloudFlair all threw this one website under the bus:
The Internet isn't as free as people think it is. Things still need to be hosts and those providers could simply chose to stop hosting you.
I'm pretty sure you can find a DC at either AMS-IX or DE-CIX where the contract won't allow them to kick you out during the politically heated time (i.e. you should find somewhere with a 1y+ term), and iirc both exchanges have, due to their non-profit nature, no ability to kick you out unless your actions are actually illegal. So, unless you get shut down by a court of law (both host countries have them (well, almost, but compared to the US they are great)), you get sufficient bandwidth at those providers.
Ofc eyeball networks can blackhole you w.r.t. their customers, but that is a whole different hurdle compared to just refusing to do business on the basis of freedom of contract/freedom of association.
Sure it will cost you, about $6k/month for 100Gbits, not including hardware and rackspace. But if you are 'just' concerned with your static website staying online on the clearnet, this should be affordable (i.e., you should be able to host them from ram, and serve up to 600Gbit/s from a 1U AMD Epyc, for like $7k in hardware, not counting the ram (15$/GiB of content you want to host, with a minimum of 32GiB, up to 512GiB getting a discount, and up to 2TiB being possible)).
Don't depend critically on companies risking political alignment with you, if what you do has any significant risk due to political association.
>The Daily Stormer, a website with highly controversial hate speech, was recently scrubbed from the Internet.
>A store cannot have blacks only and whites only bathrooms or water fountains.
It's amazing how someone can unironically defend the plight of a website that they admit produces "highly controversial hate speech" by comparing it indirectly to none other than racial segregation.
Today it’s the dregs, tomorrow it’s your nonconformity. Blindness in utilities is a good thing for everyone.
All I'm saying is that their own analogy is alarmingly lacking in self awareness, not commenting on what I believe.
Frankly though, this is blown way out of proportion. Plenty of people will do business with them. The Daily Stormer is just the ultimate martyr. They have mastered the art of doing one thing and saying another. They absolutely incite violence and hate, but they're careful to also simultaneously distance themselves from it and play the victim when they wonder why no big company really wants to do business with them. There's a reason why 4chan never really had this issue despite similarly controversial content and the answer isn't just "politics."
No, in my opinion, the real problem is that The Daily Stormer as an entity, is an Asshole. And just like they would in real life, they're being kicked out. Nobody has really made a compelling case otherwise, everyone seems more concerned that big companies actually made a non-nuetral decision (something I wish they'd do more often in the era of fake news and large scale abuse, an era they facilitated...)
I see no slippery slope here. There's a balance to be had.
Given how quickly people are to falsely group people (e.g. Ben Shapiro and Prager being called Alt-Right), I see a huge slippery slope. There really is no balance to be had since balance requires nuance which doesn’t seem to scale, ask YouTube.
Regardless of cost or how great the customer service, having all your eggs in one basket is not a good idea.
Namecheap also did the same for the same website. I switched away from Namecheap for this reason.
Yes. This is why I use iwantmyname.com
I also use them. It's been solid. Also, I used to have beers with the people working there back when I lived in NZ.
Used register.com since the 90s. They're so bad I switched 20+ domains to name.com.
DO NOT USE web.com or register.com, they're fucking terrible.
Happy name customer with .io domains that roll over properly. I've used most of the big guys as well (including The Network Solutions).
Network Solutions is an utter joke. I had them develop a website and the website was finished with web best practices from 15 years prior. Messy code, zero responsive design. Photoshop used to the max. Then the same website hosted with them was mysteriously "hacked" and disappeared. They had zero backups and continued charging to host the website they lost. Absolutely zero recourse for their incompetence. STAY AWAY
Paid via credit card? You can even reverse bank transactions. I do it plenty. Too many organizations are irresponsible.
I used Network Solutions when they were the only game in town. Switched to Register in the late 90s. Just stuck with them because I didn't have any issues.
In the last 5-10 years the issues started growing. Finally, I hit a wall and transferred everything off their service.
I now get spam emails of them trying to trick me into switching my domains back. The vitriol their helpdesk people receive is about as shitty as I get. Maybe they don't deserve it in their role, but hopefully the angry emails will get them to find a better job asap.
I had some fun with NameCheap and the xyz tlds.
Turns out, CentralNic (who actually runs the zones) was not doing proper validation on the glue records, and not removing old ones. NameCheap was sending CentralNic cached records, and managed to foobar my domain glues.
I bypassed NameCheap, because I knew they weren't the ones actually maintaining the records (registrars are just middle-men.) Using the DNS contact in the SOA, I got a response within 12 hours, and it was fully resolved within 24 hours (minus propagation.)
CentralNic contacted NameCheap, as did I, and they got their system fixed within the week.
CentralNic, not Nic. The roots were to nic.xyz.
Never heard of domain.com. If anyone wants a recommendation I use namecheap and have never had a problem. They are supporters of the EFF and Net Neutrality.
Edit: If you are going to downvote, state why. Namecheap is a good service for a good price and supports Internet freedom. When even GoDaddy was supporting SOPA Namecheap took a stand against SOPA.
"Never had a problem" is not very convincing. I'm sure the vast majority of domain.com customers never had a problem either.
I use domain.com and had TONS of problem. I've never had any problem when buying from anything that is not domain.com (even if i had any, it wasn't as fucked up as domain.com's issues)
Namecheap online support is seriously kick-butt great. Only complaint is that they don't support Letsencrypt certificates with their web hosting plans.
Yeah, I noticed that. What did they used to charge before Letsencrypt? $20?
And yet, my experience with namecheap support was terrible.
Screwed up the glue on the main domain in use for email, and after a week they still hadn’t resolved it. I fixed it by moving elsewhere.
Edit: the lesson I learned from this was - don’t use a bargain basement company for one of your company’s most important assets.
I use Namecheap and I generally like them. However I was having a repeat issue for several months using them for DNS with DNSSEC enabled. Basically, validation would fail because they'd let their records expire and "forget" to resign them. I'd notice my domains failing to resolve, and had to manually create a new record and delete it to force all my records to be resigned. Support seemed clueless, and I stumbled across this workaround by accident.
I opened multiple support tickets with them, and each time the issue would re-appear in 1-3 months. Went on for probably a year or so and I was just about to move to a different DNS provider when it stopped happening.
My complaint is Namecheap bundles useless junk services with the domain for free the first year even though I never asked for them. Then come the second year, they charge you for it without sending any notifications about renewing those services as well. I have had this happen to me and it is really annoying since I had to argue with their support for a few days to get a refund
My registrar suspended my domain because an abusive user was using a subdomain for phishing. They told me they can't inform me first of abuse so I can deal with it; they'll suspend the domain immediately.
Who's a good registrar that will contact me first if they get an abuse report?
I'm printing and framing this for the next time our PO brings this amazing sub-domain per user idea back on our backlog.
Yep, I've learned that hosting other people's stuff on your domain will harm the domain's reputation. Use a different domain for user content, and make it fungible.
The problem was the phishing, not the subdomain. If your app allows users to run phishing operations, moving the content from user.foo.com to www.foo.com/user probably won't help much in parent's scenario.
But it would help to run user content on user.foo.io just like Github.
I have to disagree. A phishing scam from "billing.foo.com" would be much harder to spot than one from "user-content.foo.com/billing". Especially if the user has free reign over the style + content.
If the user is going to be able to design + style the pages any way they want, having something in the URL to indicate it's still user content is important.
No. The problem is the subdomain. Allowing people to phish on a subdomain is lending the phisher the credibility of legitimate websites hosted on the domain. It’s like lending a thief your uniform so that he can disguise himself as an employee. You’re an accomplice when he uses it to steal.
How does zeit.co do it with `now`?
Perhaps equally important: Who was your registrar?
Google Domains. I asked:
> How is abuse reported? Can I be made aware of reports of abuse before the domain is suspended?
And support responded:
> Abuse reports can be submitted to our Abuse Team via email using firstname.lastname@example.org where reports are analyzed and investigated further. Warnings are not given out, however, unless the reporter also reached out to the registrant of the domain in question. If a domain has been found to be in violation of our terms of service, the necessary actions are taken.
Google to see who handles github.io, one figures all sorts of bad crap must be going on in their subdomains, even if they do try to police it.
MarkMonitor. Out of my league!
I've been happy with EasyDNS for more than a decade. They charge a bit more but treat customers well and in the few instances where I've contacted support, they've been great. I know there's a lot of cheaper registrars, but $1/wk doesn't seem like a lot to me to never worry about this stuff.
It’s your domain. They are under no obligation to report to you something you are doing. Phishers would use these emails to test whether or not they’re avoiding detection.
I work for a domain registrar, albeit not the one mentioned in the article.
Obviously, we see a lot of expired domains on a daily basis, mainly because customer's forget to renew despite us reminding them repeatedly during the three months before the domains expire.
1) Make sure there is more than one single contact person for invoicing. All too often, the problem is that a single employee is unavailable for some reason and that the rest of the business have no idea that the domain needs to be renewed.
2) Keep the contact details valid and up-to-date. This should be a no-brainer but a surprisingly large amount of businesses have domains registered to single employees, or with invalid contact emails.
3) Don't wait until the domains expire; renew the domains for at least one additional year. It will give you a whole year to fix stuff if you forget a reminder. EDIT: Or if the registrar screws up like in this case.
4) Automatic renewals is your friend. It's a last line of defense if all else fails.
5) Make sure you have a process for handling all of the above, even if you're a one-man business. Domain names are often critical for the business, and it's ridiculous to let the entire business rely upon a reminder sent 90 days before expiry.
They payed for the renewal in time. The registrar didn't forward it "in time", which is apparently a requirement from .io.
In this case, the registrar obviously screwed up. Still, if the domain had been renewed for an additional year already, the domain would not have been expired.
As sad as it may seem, you need to take other people's incompetence into account when you're dealing with business-critical things like domain names.
The domain was paid, the registrar took the money, but .io didn't renew it, because they need the renewal notice at least 3 days prior to expiry.
It was a registrar screw up, but my main take away is: avoid .io like plague.
See also: https://hackernoon.com/stop-using-io-domain-names-for-produc...
> avoid .io like plague
How else am I supposed to automatically add a layer of cool to my startup
Make the startup name something ending in .de and use a .de domain. The "TLD is part of the name" is also cool, and .de is reliable. e.g.: starma.de
.de actually has some tight requirements on it e.g. you need to include an "Impressum" on any hosted sites that states the name and address of a person responsible for the website
Every site targeting the German market has to do that, not just .de
And if you're a company you already have to publish a contact for legal matters anyway.
The only situation where an imprint doesn't already exist are scammers and personal sites, and personal sites don't need an imprint (if you make money with ads, it's not personal).
For English words that would work I guess. Here in EU a .de would also obviously point to something German which wouldn't be the intention.
It also wouldn’t be bad either – .de is even here in the EU considered a more trustworthy domain.
Personally I have my main stuff all on .de, my short domains on .eu, and then for certain projects purpose-specific domains on .info
Why even support EU users though with all the GDPR overhead? Unless you are a multinational who doesnt care about GDPR overheads, best not to target the EU market isnt it?
I'm in Brussels, right in the belly of the beast!
Name it something that ends in *-fy. That's still cool, right?
Back in the late 90's before it was Verisign (I can't recall the name), my domain registration could only be changed with an email from my domain. Of course I didn't have my domain up since I switched ISP and had to move my DNS and mail server. Catch 22; what a cluster fuck. Weeks of phone calls with no resolutions.
I was going to Virginia anyway, so I physically showed up at Verisign (I wanted to bring a baseball bat), and explained it to the lady at the front desk. She came back with an engineer who fixed it in 5 minutes.
As a side note, had to do something similar with Garmin. They kept sending me GPS units with horizontal LCD polarization, when vertical is the standard for sun glasses. Showed up and told the clerk to put on my sunglasses and turn her head sideways to her LCD monitor. "Oh yeah, I see". She fetched an engineer, and 1 week later had a GPS with correct polarization.
Sometimes it takes a physical presence; baseball bat optional.
With that advertisement for Spider Man, that's the last time I ever click an IMDB link.
Exactly. One of my favorite movies.
I'm so happy for OLED phones so I can use GPS in either orientation without severe distortion/dimming.
> before it was Verisign (I can't recall the name)
> so I physically showed up at Verisign (I wanted to bring a baseball bat)
Did you think to write a simple postal letter to them (say a VP or the CEO) rather than get angry enough to show up with a bat? Or send Fedex? Sure you shouldn't have to do that but from a practical angle it may have paid to do that.
Did I say I showed up with a bat? Yes, I did send mail.
Can you explain the LCD thing a bit more? I've not seen a physical separate GPS unit before.
Also more generally, once upon a time a GPS (Formally GPS Receiver) was a device the size of say, a multimeter, with a big battery pack, a simple monochrome unlit LCD panel display, and a radio (later, more expensive units had several radios). The device is doing fancy mathematics, and just receiving GPS signals, even the metadata about where to look for GPS satellites in the sky is available, very slowly, over GPS. It has no other source of data.
So you'd buy one or turn it on after uncrating it in a foreign country, and it'd literally spend ten or fifteen minutes calibrating, figuring out what the time is, what satellites are on what frequencies and which are above the horizon before it could at last discern your position. This was amazing if you genuinely didn't know where you were e.g. "Hmm, a desert". But you'd never have used one to go shopping - it took far too long.
Today your phone has a GPS with lots of radios (so it can listen to every satellite at the same time) it always knows the rough time,and it uses the Internet to get public shared data rather than wait to receive it slowly from GPS.
If you hold up two polarized sheets and rotate them, they'll get progressively darker until no light passes through when they are perpendicularly aligned. YouTube should have some videos, it was a pretty entertaining physics lab experiment.
Don't use *.io anyway. The domains are being sold under a very morally dubious arrangement, given the UK kicked all the people off the island of Chagos and gave the domain registration to a private entity.
The UK government's view of the Chagossians at the time they gave the island to the USA for a military base was apalling:
“Unfortunately along with the birds go some few Tarzans or Man Fridays whose origins are obscure and who are hopefully being wished on to Mauritius.”
Related - https://medium.com/@alexandernst/from-successful-to-zero-tha...
TL;DR: Don't use namecheap.com either.
Something that scares me regarding domain names is their variable cost. I purchased a .sexy domain for a joke website and its price got raised by +70% less than one year after that, making the joke a lot less appealing. There’s no guarantee that when you purchase a domain name it reasonably stays around that price for years.
Build a business on a domain -> the name increase by XX% -> you’re screwed and must pay.
If it's a joke, okay, 70% might hurt.
.sexy is about 60-100$ per year. If you've build a business on it, paying double the amount should not hurt.
For me the most important thing about this new gTLDs is more about reputation of the gTLD registry. What if these go out of service? I'm pretty sure that there exist a protocol for that case, but I'm also sure that domains in a less popular new gTLD space might get far less protection from ICANN than any non-sponsored gTLD.
> sexy is about 60-100$ per year. If you've build a business on it, paying double the amount should not hurt
I feel the issue is the lack of transparency and control. Who is to say some registrar won't start charging people per visit or % revenue in the future?
Sure, I hear you. If it's a registrar, it's okay, simply change it.
For a registry, I believe that they would risk their mass market business cases, but I'm also very sceptical about those ngTLDs for that reason.
Avoid the new gTLDs. Most are mismanaged crap. The gTLD system was the greedist and worst decision ICANN ever made.
Stick with tried and true domains - ideally .com, but your country's ccTLD is another good choice.
ccTLDs can have similar issues to the new gTLDs - the administration of those is contracted out by ICANN too, usually to a State level body of some kind. The quality of these varies hugely as well. This is also why countries with desirable ccTLDs like .tv (Tuvalu) abuse their position by charging more for their TLD.
.io as used in this example was a ccTLD, and this issue was directly caused by its mismanagement.
This is one of the potential drawbacks of using ccTLDs like .io - individual nations are afforded much more control in the administration and dispute resolution process than gTLDs. Unfortunately some are run more poorly than others, which is why in this case the support agent states:
"Unlike common domain names [gTLDs] like .com or .nets. .IO's are managed by a specific organization, that manages only .IO domain names..."
.IO of course being the ccTLD for the British Indian Ocean Territory, run by these chaps: http://www.icb.co.uk/
At any rate, it's worth bearing in mind that ccTLDs are not administered the same way as a gTLD, and weird issues like this that are a pain to resolve can happen.
And every couple of years someone finds this out the hard way and goes on a big rant like this one. Particularly with the .IO ccTLD. Or .LY.
It tells me that the person running the business isn't very good at estimating the business risk of the technology they're using. That's when I start hoping I'm not a customer of theirs and invariably find out that I'm not. Phew.
Do not rely on other people to resolve time-sensitive issues when you can easily avoid it.
In this particular case as soon as it's clear the domain hasn't renewed despite being billed then manually renew it using the usual user interface, pay the extra $10 and then contact support after to get one of the charges refunded now the time-sensitivity is gone.
The stress alone isn't worth being out of pocket $10 let alone only for a week or two.
According to one of the comments in the support ticket (at the end of the article) the registrar did not allow manually renewing the domain.
I believe that's true, I think the point stands though, when you realize a shit storm is coming, that's the right time to open your umbrella. Waiting until you've been out of business for three days is a little late.
I probably wouldn't stick around as a customer, not because they got screwed here but because they stood there with their hands on their head and watched the train wreck. That's the difference between amateurs and pros (and the pros learned this the hard way)
I create websites for small businesses. I've seen almost every conceivable domain renewal failure in my 20 years of experience. No matter how many times we remind clients to get this aspect of their business documented we still have sites go down every year. We charge a fee to "manage" domains for those who opt-in, solely for this reason (and it's worth it).
The most common reasons:
Bad contact email
Auto renew off
The more obscure:
Bought domain through a reseller who is now out of business (more common than you think)
"Branded" contact email which post expiration, no longer works.
Disgruntled "losing" webmaster who registered domain under his/her account and is now holding it hostage.
It is sad that often, a slightly less appealing .com domain is a better choice than a slick domain on an unreliable tld.
.io is run by morons. It's astounding that they haven't been fired.
We spend lot of time thinking about making our services resilient against failure at the infrastructure level yet the domain registrar is often overlooked.
Not only do you have to worry about them making a technical mistake there is also the risk of a phishing attack.
A while back I did a bit of research about what was the most reliable registrar and the only one that i could find was Markmonitor. Most of the big sites (google.com facebook.com etc) use them. They offer lots of cool features that i had never heard of like registrar level locking and custom 'protocols' (like a phonecall from X no. of authorised people) to validate a change. Plus some others that seemed less interesting (to me) such as the brand protection.
They do of course charge a pretty penny. From memory there was a minimum cost of $30k per year which allowed you pretty much as many domains as you might want and the promise of being able to get ahold of a human if something goes wrong.
Algolia implemented a retry strategy on a different domain, TLD, and provider in their API clients. See step 14 of this article: http://highscalability.com/blog/2015/7/27/algolias-fury-road...
Complicated to apply to a website, but it gives some thoughts.
I recommend using easydns.com as the registrar and DNS service. Their email helpdesk is fast: <30 minutes. They answer the phone immediately and they are knowledgeable. Phone support is during business hours, but the more expensive packages have 24hour support.
And yeah, you need to have a lot of faith to use .io or other new TLDs which are serviced by new companies.
I generally avoid metered services where cheap unmetered alternatives are available.
First of all, 5 million DNS requests sounds like very little. It probably isn't due to caching, but it's hard for me to judge what I need/whether that's enough.
Second, what happens when someone who doesn't like me decides to make 5 million DNS requests? 5 million packets sounds like something a decent connection might be able to fire out in a few seconds. If I pick their highest plan, will a person that has a grudge and a fast link capable of IP spoofing cost me $2/second (theoretically $5M/month, although I'm sure they'd show some mercy at that point)?
Okay, anyone want to confirm or add other DNS registrars to the "One of the good ones" list?
Ive been recommending my friends to do the entire thing through Dreamhost including a WP install.
I personally am more technical, and have my domain name from 7 years ago on godaddy. Any suggestions on where I should use? How about my incompetent friends?
I've always heard good things about gandi
I second this. I've been using gandi.net for a few years now and have had nothing but good experiences with them.
Thirding Gandi. Their web dashboard sucks but they are excellent when it comes to service, support and reliability.
Hmm, lots of people here recommend EasyDNS.
I'm curios so I went to check.
They say that the "DNS PRO" offer has 5 million queries/month. Is that a lot? Do they enforce the limit? That's 7000/requests/hour (or 115/minute or 2/second). That's not PRO in my books.
DNS results typically get cached for at least a few minutes, and most users use ISP or public DNS servers (eg, Google, CloudFlare, etc) which only do the lookup once for many users, so your authoritative DNS server will see only a fraction of the number of web requests you actually handle. I'd guess for most sites this is probably below 1% in terms of requests per second.
The results for DNS is cached, often by both browser and ISP resolver, so it's tough to determine the actual query rate for high traffic sites.
I use also easydns and hover and have nothing but good things to say about the support for both of these registrars.
+1 for Hover. No problems in close to a decade.
Same here for hover. Customer support is excellent and emails about expiring or renewing domains are timely.
.io is not a new domain tho, it's the country tld for Indian Ocean.
For those who want the short version: Never EVER use domain.com as your domain registrar. Yikes!
i really feel bad for those guys at uptimechecker.io
I had a related issue where a previous registrar — who we had moved away from months before — managed to accidentally "claw back" and disable our domain due to a misconfigured billing script. The fragility of the whole ecosystem is pretty scary.
Wrote it up on Medium @ https://medium.com/thisiscala/the-duct-tape-holding-the-inte...
Yes well. Don't use .io domains for anything serious.
I had one of the 20 largest .io domains for a time, until they shut us down because they received one complaint in 3 years. It took them 2 days after we resolved the matter to put the domain back online as well.
By that time I had already migrated to .org - which is run by a considerably more professional non-profit organization.
I worked at a domain registrar for over ten years. Every day I would have to deal with a call from some irate customer who's business was down because they forgot to renew the domain. This was after we would send them emails, starting a month before the renewal was due and then more frequently the closer they got to the renewal date. Many times they wouldn't even notice until the domain had passed the grace period, fully expired and been snatched up by some scalper and replaced with adverts.
Then they would be on the phone claiming to be losing thousands of pounds for every minute the website was offline and how it needed to be resolved right now or they would be sending in their lawyers.
If your business resolves around having a functional website, make sure you have a solid domain renewal plan in place and are hosting with a trustworthy registrar.
> This was after we would send them emails
Did your e-mails look like spam by any chance? e.g. contain images, look like newsletters, contain tracking pixels, etc. -- most such e-mails get auto-deleted on my end.
Just to be fair, this person waited until 3 days before expiration to verify that everything was ok with his registrar.
They should have done this 90 days ago.
Create and implement a business policy to have IT come up with a procedure to check this quarterly. There's no really any excuse for a tech company to have this happen.
Domain registrar and DNS for a company are too critical and fragile to go cheap on.
For personal, hobby, one-off marketing domains; sure go cheap.
But for something you earn money from? Go with highy recommended providers. Registrars with a secure administration, good track record of customer service, high reliability, etc.
Also spread the risk around. Don't have domain, DNS, and services with one provider. E.g. register domain with Gandhi, Hover etc, use DNS from Cloudflare, Route56, etc, and host with GCP, Heroku etc (for example).
And use several providers if you have multiple domains in case one implodes. That way not all of your domains disappears overnight.
And as many have mentioned already on this topic: Have well documented, well practised renewal processes, and renew for multiple years if possible.
> And use several providers if you have multiple domains in case one implodes.
I'd add only on refinement: if possible, use domains with different top-level (national) authorities.
Sadly, this kind of operational wisdom is rapidly being lost by the emphasis on hiring "DevOps" engineers, with most of the emphasis on the "Dev" part, since they're often just coders against cloud APIs, with much less value placed on traditional sysadmin (or what ended up being called operations engineering during and after the dot-com boom) experience.
Now, of course, that makes sense not to hire a full-time 100% sysadmin if what you (think you) need is a 5% (or less) sysadmin. Also, most startups, and probably even larger businesses, are going to be easily lulled into complacency by the uptime records of the larger vendors (or really just AWS), when following the best practices for technical reliability. "Infrastructure as code" is supposed to alleviate the human/administrative risk, and I'm actually convinced that it does to a very large degree (just at a huge cost in markup/profit for Amazon for that infrastructure).
If this service was some run of the mill e-commerce or SaaS I wouldn't have this reaction, but being a critical monitoring service that was down for days, this reflects very poorly on them. My reaction is that I'd never use uptimechecker.io. Quite honestly I am baffled why they'd even want to write this post for others unaware of their company and the outage to discover. It does not reflect well on them, despite spinning it and rightly blaming domain.com.
Just use a respected and well known registrar such as Amazon Route 53 domains. This could have all been avoided. I know the blame "should" fall on domain.com, but ultimately startups are responsible for their service.
Wasn't their fault. Their users deserve to know exactly what happened. I value transparency.
Absolutely, send your current customers an e-mail explaining... Just not convinced a public blog post is good business for them moving forward.
They might have completely shut you out with the silent treatment because they think you might sue. So maybe you should.
For a very long time, DNS simply has not been an identified risk for most corporations. In the risk analysis they make, DNS is not on the map at all, even though it may be a single point of complete collapse for them. Thus we see extremely large corporations depending on a single DNS provider, using a registrar that are more interested in profit rather than resilience against attacks, no DNSSEC. Etc etc. This is slowly changing. What is. Not changing fast enough is the ability to run more than one DNS provider, giving you yet another spof.
The whole domain registration system is a very complex and messy area to work with, both from a development as an enduser perspective. I speak from experience working at a hosting company implementing domain registrations directly with the registry systems.
It's a incomprehensible mishmash of tld's implementing different methods of registering, renewing, restoring, domains. Some require ID verification before registrations, some have a quarantine of 1 week, other of 4 weeks, some no quarantine. Some domains need to be renewed before expiry, some can still be used 2 weeks after expiry, some domains allow transfers and trades, others don't or do under strict circumstances. Some require transfer codes, others don't. Some transfer codes are valid for 1 week, some are valid for longer.
There is no decent standarization on the technical level when it comes to managing domain registrations. There is the EPP protocol but almost none of the registries implement a standardized way of registering domains each implementing a mess of extensions to suit their bureaucratic needs.
ICANN introducing over 1.2k new gTLD's some time ago also didn't help along with the introcution of domains containing non standard latin characters and the puny-code implementation there (eg: café.com is actually listed as xn--caf-dma.com)
I'm not trying to defend domain.com who obviously failed to deliver on the basics of decent support, but things like this (issues between domain vendor and registry) happen more than most of us like to admit.
This is an interesting discussion, as I’ve recently run into problems with transferring a domain from domain.com to google domains.
I’ve heard good things about google domains in the past and the price seemed right (never had a problem with domain.com, but they charge separately for domain privacy) and now I’m stuck in Vonnegut-like situation. They locked my account because apparently the record that was transferred in doesn’t exactly match my uploaded govt ID. I can’t/won’t change my legal name, and the account is locked so I can’t fix the record. The phone support was sympathetic but said I had to go through email, which I’m pretty sure is an AI. This has been going on for a month now, and I’m pretty sure I’m never going to get this resolved.
I haven’t seen any discussion or experiences people have with AWS route 53. Is that a valid option? Seems reasonable and has privacy included.
Pardon my ignorance, but this is something I've always wondered.
You can setup fail over DNS servers, just list different DNS servers, possibly from different companies, with your registrar.
Is the registrar a unavoidable single-point of failure? Your multiple name servers are listed with your one-and-only-one registrar, no matter what?
This wasn’t a technical problem with the domain. The DNS changed because op’s registrar failed to renew the domain. The website was working intermittently because of propagation, not a server issue.
Problems like this are why registrars renew domains a month before they expire. The way to avoid these issues is to check to see if your domain renews on time. If your registrar fails to renew it, you have ample time to transfer it to another registrar.
I understand it wasn't a technical problem.
I was wondering if it was possible to have a backup listing of your nameservers in some fashion?
I used a free domain coupon from domain.com a few years ago, and was spammed with both snail mail and robocalls (advertising services for the domain) for months afterwards. I don't know whether they're selling customer data or what, but it left me with a very negative image of their company.
> I don't know whether they're selling customer data or what, but it left me with a very negative image of their company.
Whois is public and has always been as required by ICANN. If you don't understand how things work then be fair and don't blame what you think is the obvious cause or reason. There are valid reasons for whois being public and all registrars have this in their agreement and it is widely known.
I know how WHOIS works. The letters were sent to my academic address, not the professional address I disclosed to WHOIS.
Whois is going dark shortly for at least six months, and maybe forever, due to GDPR. So much for the public Whois.
On my previous job we had to manage thousands of customer domains, including annual renewal.
This was very tedious task, so I wrote a Perl script, scraping WHOIS and DNS data for all domains listed on our DNS servers. Based on this data every domain was assigned a status, such as "Ok", "misconfigured", "about to expire", "points to foreign DNS server" or "points to foreign Web server". This script was scheduled to run every other day and sent CSV report (full and diff from previous run) to a person responsible for domain renewal.
Needless to say, our support specialists were very happy with this improvement.
Mistakes and glitches happen. Op should have noticed their domain did not renew a month before it expired, not just before.
DNS and domain propagation are slow turning ships. If a problem occurs, you sometimes need days to straighten out the problems.
> I tried to set nameservers to correct values, but Control panel returned error: uptimechekcer.io is not managed here!
They misspelled their own domain in this article. It seems their problem is a lack of attention to detail.
The complaint about charging for domain registration is nonsense. Domain registrations are non-refundable. If a registrar ever registered domains for customers before payment, they’d quickly find themselves out of business. Payment is always up front across the industry.
I had similar beef with a .io domain name many years ago: https://news.ycombinator.com/item?id=1973704
Big domain registrars operates usually on such a low profit margins that a single support ticket cost more than that customer will ever create in revenue. This create a very clear incentive models to focus on growth and keeping support costs down.
I work at a smaller registrar and we usually close (resolve) tickets within minutes and as a policy under the hour. We depend on word of mouth and contacts for sale, so we kind of have the opposite incentive model. I may be biased but I recommend avoiding the race to the bottom registrars for business critical domains.
Given that you’re in the industry perhaps you could list both yourself and your best, most reliable competitors. It’ll benefit all of you. And all of us.
So, how does one prepare for the worst? Let’s brainstorm:
0. Register alternative domains in advance with a different registrar.
1. Setup mailing list for all registered users and be prepared to blast them with a new domain.
2. Make mobile apps check both the main and the alternative domains.
3. Make the mobile app notify the user of a new domain name requirement via push notification and the like.
4. Setup the phone system so that it can read the new domain before connecting support.
5. Setup support on a different domain (e.g. zen desk). If zendesk goes down users will know to call us, if the main site goes down they may remember to check zendesk.
-1. Choose a domain registrar & TLD not known to be fishy or incompetent (so not .io)
There are 100 year domains renewals/registrations if anyone wonders. So if they really wanted to safeguard it, they could of done it.
This sorta reminds me of when Regions Bank forgot to renew its domain name.. for everything a smart business can do to acquire customers, developing groundbreaking software, etc - sometimes the things that break are the most obvious and mundane..
"“Sunkenness” refers to the fact that intangible assets tend to have little or no market value, unlike, say, land or a factory.
They have value as part of their owner’s business, but not to anybody else.
This means that investment in intangible assets is risky."
A lot of domain registrars seem to go for the "pile it high, sell it cheap" business model. I think as with any other commodity that a tech business (or any business!) needs to run, you pick your suppliers carefully.
In the UK, I wouldn't touch 123Reg with a stick because I know their support is terrible. I would however use Gandi or AWS as I know their support is decent.
I recall UnitedDomains (German provider) who wanted me in 2016 to fax the request to update the contact information. Fax it.
Times are mature for the equivalent of Letsencrypt for registering domains, something like Letsregistrar.
We need to have this inefficient industry wiped away since it's really too much manual and too much in the way.
If somebody wants to found a noprofit to create a free registrar, I'm 100% in.
>I recall UnitedDomains (German provider) who wanted me in 2016 to fax the request to update the contact information. Fax it.
I had a similar experience with an Austrian registrar a few years ago. Must be a regional thing, since Austria is Germany's Canada.
Nice pattern identification. I live in New Zealand and we are Australia's Canada.
> I recall UnitedDomains ...
United Domains rely on manual things very for a large part of domain related service processes which are "uncommon" for a private or small domain owner.
> If somebody wants to found a noprofit to create a free registrar, I'm 100% in.
For the German market I remember the good old times with InternetX before they were bought by United Internet. Had some good talks with their tech support back then.
A "free" registrar is maybe not the right solution. The key is "care" for your domain. Take your example of "letsencrypt". They exist because they automate everything. They don't "care" if your certificate causes troubles, they'd just fix their API. With domain registrars the story is different: You need a good support to prevent fraud, you need a good contact to registries if something goes wrong. Key learning here is: In 99% of the cases with domains, everything is fine. But if you find yourself in the 1% where trouble occurs, you need immediate support of competent people. Not sure if this is a case for a "community" or "free" registrar. More a business case for MarkMonitor without the Brand Protection: Simply a domain registrar who cares.
I transferred two domains from Ghandi to Lunarpages over a decade ago. Somehow, Ghandi's anonymization service was still enabled, and as a result, my domains were blocked a few months ago.
Took about a week for Lunarpages to straighten out.
(BTW, the spam calls started immediately after Lunarpages fixed the problem. It's a great thing that the EU finally twisted ICANN's arm over this issue.)
I don't know if this is a culture thing or personal style, but the author keeps emphasizing that the story is true. To me, that reduces credibility since I've often heard false stories whose narrators reiterated their truthfulness unexpectedly when I wasn't doubting them. Not very reliable logic, I know, but it's a small warning bell.
I always wonder how people care about "good prices" if they choose a registrar. Quite often the domain name is the most valuable asset of your company. As long as you are not a domain squatter you shouldn't care about if you pay $10 or $1000 per year. And if possible register the name for the next 10 years in advance.
I agree, but not all domains are fully fledged corporate entities - some of us just throw together fun things randomly and for that it's nice to have an $0.88 TLD.
I'm not sure the domain registrar is completely at fault here. If your website going down will "kill your business" then it's a good idea to use a reputable one and not the cheapest you can find.
And looking at domain.com just now, they don't seem to offer .io domains, so I wonder how he even got the domain there?
None of the .ly domain registrars have auto-renew. They have an option to send you a yearly invoice and a link to login, which they call "auto-renew", but it doesn't actually take the all-important step of renewing. Lost a great domain because of that.
You'd have a fantastic case for a lawsuit against them. Good job keeping a paper trail.
I had similar experience with domain.com
Their support team is from India, and they took a week to solve the issue.
I am looking for good domain service provider to transfer all of my domains 30+
Any recommendations? We use Digitalocean as the hosting service provider
I've used Namecheap for many years and have found them very reliable and their customer service responsive.
nearlyfreespeech.net provide great service, notifications and overall highly recommended. been customer with several domains transferred or registered with them over the past tears
They don't support registering ccTLDs, such as .io:
Yes I've heard of domain.com . In fact, we even used it for one of our products. We tried to purchase wildcard ssl via their control panel - the result was a delay from our go live schedule by as much as more than a week. It was the most horrible control panel I've ever used honestly. Feels like bug from the alpha release candidate V1 bugs list. there's this weird bug when it suddenly delete all our mailboxes for no reason. The moment we saw that bug we immediately stop using it.
The support? The first guy that tends to you will always be the most stupidest one. You almost always had to insist to get/ be forwarded to a senior level support with actual brain.
tl;dr Stay 100 miles away from domain.com .
By the way it wasn't me that chose domain.com . I would never buy from any website that looks like this.
thought this would be another idiotic story but it’s actually valuable.
still, some blame falls in their shoulders, cutting it so close.
anyway: use mark monitor. don’t know if they do .io though.
While they did cut it close for looking at renewal status, based on the following quote from the article, I can infer that the domain was set to auto-renew:
> I knew our domain should be renewed about these dates, and we were already billed for this renewal.
ICANN should make it mandatory for the domain registrars to send reminders at least 1 month before expiry.
If you can, just transfer your domains to Google Domains and never worry about shady registrars again.
(We also use Dynadot [good], Hexonet [good], Uniregistry [... okay].)
While Google's registrar seems ok right now, Google's support is nonexistent when things go wrong. Literally every bit of their support is outsourced to 3rd-party companies that provide no path of escalation.
Even the really bad registrars (and there are a ton) usually have some direct support (or resell off enom, which will extort your money for the privilege of bailing you out).
That's the point. Domains causes no problems. Only in some weird scenarios, things can become troublesome. In those cases you need a support. In others you don't.
If you have a domain registrar with a good support, account the premium you pay as such: a premium for an insurance when things go bad.
Plus Google will illegally seize your domain if they don't like you.
I'm curious, what makes you say that Uniregistry is "...okay"?
Uhm, wait, did you just recommend Google with their automated support? Or does Google Domains have better support since you're paying? I'm genuinely curious about that.
I _think_ TL;DR Domain.com, unless this is common with other registrars?
Is this a common problem in .io?
.io has particularly long lead times for renewals with third party registrars. I ran into a similar issue 8 years ago: https://news.ycombinator.com/item?id=1973704
Here's my plug for NameSilo. Try them and you will not regret it.
At my job, if I told the story like that, I'd be told "I'm being too negative."
DON'T GET SCAMMED!!!... I am a single mother of 2 boys, I needed a loan to pay for tuition fees for my sons but had negative listings and bad credit records which was caused by my strugglings to make ends meet since lost my husband to cancer. I needed a way out. I contacted over 4 different hackers which I got ripped off even though i told them about my situation and that i was also widow. They were still heartless and took my money without rendering the services they promised to. I thank God for my sister who introduced me to a hacker of hers who could help. We contacted him and with a reasonable amount of money my bad listings were flushed out in a week. It felt like magic as i remember shedding tears of joy on that very day. Contact him if you need such service at QUADHACKED(at)GMAIL(com)COM. He is the only one i trust.
Who on earth uses .io for production critical domains?
These posts are tiring.
> Who uses [any technology/infrastructure choice] on production?!
A lot of people. That's always the answer.
Using TLDs ran by monkey operators via registrars ran by barely competent companies is like screwing $5 full service hookers in NYC without a condom -- should you choose to do that you should not be surprised that you at best get gonorrhea and syphilis.
Here is the obligatory post about how bad .io treated security less than 1 year back . Someone was able to take over the whole .io zone just by registering a few domains.
Who on Earth would buy a .io domain if it were advertised that it might stop working for days at a time and you had no recourse?
It's not like .io is run out of a backoffice somewhere these days. Afilias provides the backend -- they handle a lot of different TLDs...
.io domains are popular, especially among the HN crowd; despite the high price and poor practices of the registrar. You should know that being on HN.
We use one. It had nothing to do with .io per se; it was just that .io hadn't been as throughly squatted yet.
Maybe that tell you something if even domain squatters avoid .io