Domain name Registry Lock by the numbers

Many important websites haven’t added Registry Lock to protect against hacks similar to what brought down

Last month domain name registrar Melbourne IT was compromised, resulting in the hack of’s nameserver record.

The New York Times’ problem could have been prevented had the company paid a little extra for Verisign’s Registry Lock service. Registry Lock adds another layer of protection against unauthorized domain name transfers and nameserver updates.

With a typical cost of under $50 a month (Verisign charges $10; registrars add their own markup), Registry Lock is a nominal expense for big companies. Surprisingly, a lot of big sites don’t use it.

The raw numbers

The domain data pros at DomainTools routinely collect the “thin” whois data from Verisign for .com and .net domain names. The company collected status information between August 15 and August 27 for over 125 million domains, which roughly represents all of the domains in existence as of August 15. (Note that this was prior to the hack and news about Registry Lock that came out afterward.)

Just 14,509 .com/.net domains contained some variation of Registry Lock at the time the data was collected.

…but those aren’t all paying customers

This number greatly overstates the number of domain owners that have paid to add the service to their valuable domain names. Many of the domain names included in the top line number were locked by the registry as a result of legal actions instead of at the customer’s request.

For example, the DomainTools data provided to DNW show that 1,614 domains at GoDaddy had Registry Lock during the collection period. Yet the registrar doesn’t even offer the product to customers.

A couple hundred of the company’s own domain names have Registry Lock. The rest of the GoDaddy domains showing Registry Lock are likely stuck in legal proceedings or seized by the government. For example, and, both seized by the U.S. Government earlier this year and registered at GoDaddy, now show Registry Lock.

This may explain why registrars, Xin Net Technology Corporation and HiChina are among the top five domain registrars in terms of Registry Locked domain names.

About 1 in 300 domains registered at are locked at the registry level. This includes seized domains and

Top ten domain registrars in terms of total number of .com/.net domains locked by registry. At some registrars, many of these domains are locked for legal purposes, not because the customer paid for Verisign’s Registry Lock.

So far fewer then the 14,509 domains showing Registry Lock have turned it on for security purposes.

Many large sites don’t use Registry Lock

When you consider that only a small portion of the 14,509 sites with Registry Lock have asked for the service, there’s no doubt that relatively few companies have added the protection to their top domain names overall.

That’s even more apparent when you look at a list of the top websites.

Of the 1,000 largest .com/.net websites (Alexa), just 92 had Registry Lock turned on during the data collection period. Popular destinations such as, Microsoft’s,, and Pinterest all lack Registry Lock. (In fact, Pinterest didn’t even have a registrar lock turned on. There are over 26 million websites without Registrar Lock, meaning it’s even easier to steal the domain names.) and added Registry Lock after the attack.

Why more sites don’t use Registry Lock

There are a few reasons there may be low adoption of Verisign’s Registry Lock: availability, knowledge, and potential drawbacks.

Rich Merdinger, Vice President of Domains at GoDaddy, told Domain Name Wire that it generally hasn’t considered Registry Lock an “appropriate fit for our primary customer segments”, but “since the recent compromise to, we have heard from a few of our enterprise customers and are reviewing the advantages and disadvantages of offering a Registry Lock.”

One of those drawbacks, as Merdinger points out, is the inability to make quick changes to DNS if a domain has registry lock.

I suspect the biggest reason more large websites haven’t adopted Registry Lock is awareness. That awareness is growing in wake of the hacking. I expect more domains to have Registry Lock the next time the numbers are run…and that won’t be because of government domain seizures.


    • says

      AFAIK, there’s no requirement that registrars even offer Registry Lock in the first place. Maybe will offer that service at some point, depending on demand from their own customer base.

      (Disclosure: I’m also a affiliate. I share what I know and let people decide for themselves whether or not the registrar fits them.)

  1. Marius says

    Registry Lock does not prevent updates on DNS Zones, even with the Registry Lock would have gone offline….
    The Registry Lock is only a part of the right solution!

      • Marius says

        you cannot change namesevers at the Registry while the LOCK is active, right.
        But you can change any DNS Records in the Zone if the registrar also delivers DNS Services. The LOCK won’t help if someone changes your A-Records 😉

Leave a Reply