An explanation of exactly when Go Daddy puts a transfer lock on domains for making a whois change.
It seems that every month someone emails me about how GoDaddy places a 60 day lock when you make certain changes to your whois information. The lock prevents you from transferring the domain name to another registrar.
I also get a lot of search visitors searching for information about this lock based on previous stories I’ve written.
Yesterday I caught up with Camille Ede, Director of Domain Services at Go Daddy, to understand exactly when the lock is placed.
As it turns out, the lock is currently only required in the very specific case where you change the registrant’s organization name or first/last name.
Whois information has four different contact types: registrant, administrative, technical, and billing. This may be somewhat confusing since most people list the same contact info for each contact type, as well as update all four at the same time if a change is necessary.
The registrant information is the most important. When a domain name is hijacked out of a Go Daddy account and transferred to another registrar, Go Daddy is more likely to be able to get it back if the registrant’s organization or name hasn’t changed. Ede says the registrar can rely on a provision in ICANN’s policy to more easily get the domain back if this information hasn’t changed.
So if you change your email address, address, or phone number, you are not required to opt-in to the 60 day lock. You also don’t have to opt in if you change the organization or first/last name in the administrative, technical, or billing contacts.
Technically, I believe what Go Daddy is doing violates this ICANN advisory. In fact, the advisory was likely written specifically because of Go Daddy’s locks as it says you can’t require someone to opt-in to a lock to change their whois information.
But since the lock opt-in requirement is only for changes to the registrant name, it’s not going to ensnare as many domains as I previously thought.
The biggest issue I can see is if you want to quickly flip a domain and the buyer wants it at a different registrar. For example, you may buy a domain from someone and change the registrant information to yourself; you’d then be prevented from transferring the domain to another buyer at a different registrar for 60 days.
George Kirikos says
Like Andrew, I think it’s a violation of the ICANN policy, and have argued it to ICANN compliance (who’ve done nothing). See for example:
Someone should challenge their behaviour using the TDRP. However, each time I’ve asked GoDaddy to waive their lock (i.e. “begging” them to follow the rules), they’ve done so — making me not the ideal person to initiate such a challenge (i.e. to create the precedent that GoDaddy’s interpretation of the policy is simply wrong).
George Kirikos says
By the way, Andrew’s idea that the “biggest issue” is in relation to flippers is not my biggest issue. If ICANN institutes a “clawback” procedure to undo domain name transfers (as the IRTP-B working group has been trying to do, over the objections of the public, first under the name ETRP, but now they’re trying to make it even worse via a so-called “Emergency Action Channel”, with a *4 hour* required response time and an *unlimited* time to challenge a transfer, i.e. you can undo a transfer from 5 years ago, as currently drafted), then the ideal method to avoid the implications of such a policy (to prevent seller’s remorse, etc.) would be to have the change of registrant be at the OLD registrar, and then transfer it to the new registrar.
With GoDaddy’s 60-day lock, though, the new buyer would be stuck at a registrar they don’t want to be at. The new registrar might be superior for a number of reasons, e.g. better legal jurisdiction (if your company is not in Arizona, do you want your domains governed by Arizona laws?), better security (e.g. availability of VeriSign-lock or other measures), better customer support (not trying to upsell you everytime you call in for technical help), and so on.
GoDaddy loves to create the myth of rampant domain hijackings, and that they’re doing this to protect people. But, they refuse to share the numbers on actual hijackings. There was a consensus in the IRTP-B report public comments that hijackings were not a major issue, but registrars not cooperating with transfers were a much bigger problem. Of course, those comments were ignored. Plus, you don’t need to have a 60-day lock to prevent hijackings….there are far better *proactive* ways to protect high profile domains, rather than forcing legitimate registrants to be stuck at registrars they don’t wish to use.
That sounds like the domain name is changing “ownership” from party to another. In that case, I think they have perfectly valid case for the lock. In reviewing the RAA, I see nothing that even requires a registrar to support a change of registrant, it’s basically an assignment of the Registation Agreement between the Registrar and Registrant and both parties should be able to condition that if both parties agree. If they don’t agree it don’t happen, or the registrant can transfer first to a Registrar that will agree to conditions of reassignment that they like.
A perfect example of why the Vertical Integration Code of Conduct notion is surreal
andrew, godaddy has given you BS. i have some of my domains there and they REQUIRE you to tick the box acknowledging a 60 day lock any time you change anything eg: an email address. i also noticed that “somehow” some email addresses had disappeared sometime before the yearly icann update – that’s when they did the 60 day lock thing. was this an “accident” or not? i don’t know. i’ve seen a few things that i’m not impressed about with godaddy, this is one of them.
Andrew Allemann says
@ rob – I verified it yesterday on all types of changes and it only happened in the specific cases they mentioned. However, I think this has changed over time.
I guess I don’t really understand the issue. If you are going to flip a domain, you simply need to plan for this waiting period. This lock is put in place to protect users from domain theft. It’s not just GoDaddy either, I’ve seen other registrars observe this.
Andrew Allemann says
@ Batfan – I’m not familiar with any other registrars that put a 60 day lock on domains (other than the initial registration). Can you share which ones so I can look into it?
If the domain is near the expiry date (20%)then the renewal has to occur at the registrar from where the name is being transfered. This awards an anti competitive advantage to larger players.
@Andrew – You know what, it seems your right. I could’ve sworn I’d heard of at least 1 other registrar doing this in the past but, I couldn’t locate any now. That being said, I still don’t think it’s a bad policy. I spent nearly 4 years working @ a major registrar and attempted domain theft is very common.
Andrew Allemann says
@ Batfan, thanks…please let me know if you ever come across any of them.
Given your previous experience, would you say the most common thing that happens before a domain is hijacked is that the email address is changed? This would make it easier for a thief to transfer out the domain.
Andrew can’t you just ask the people at resellerclub how many emails they receive on a monthly basis from Verisign that a transfer has been aborted without reason ?
Then you know a lil more how many and who are cancelling transfers based on a changed whois and are violating the ICANN policy that clearly states :
2. A registrant change to Whois information is not a valid reason to deny a transfer request.
Just a wild idea 😉
@Andrew – Definitely. A quick change of the admin email and the domain is gone. Most of the time it is an ex spouse (or business partner) or a disgruntled web developer.
OK, so #1 question is if someone steals the domain, put a 15 days lock on it then, 60 days is caveman terminology, if you don’t notice your doman is gone in 15 days, then you won’t notice it gone in 60 days, even 30 days, 60 days is much to long, only good thing is godaddy is #1 registar and most people use them, but some absolutely don’t want too.
“You don’t need to have a 60-day lock to prevent hijackings….there are far better *proactive* ways to protect high profile domains”
The idea that GoDaddy imposes this 60 day lock
to prevent domain hijacking is nonsense.
They do it so you can’t transfer out.
For my GoDaddy account I have a 4 digit security code that is not recorded anywhere
in my account.
I have to give that code to GoDaddy support staff if I call over the phone otherwise they will not access my account.
There is no reason this code couldn’t be required to be entered to make any changes
especially for transferring out and pushes.
After 3 false attempts the account should automatically lockdown.
Fabulous.com does this using Challenge/Response questions.
“For my GoDaddy account I have a 4 digit security code that is not recorded anywhere
in my account.”
Actually, that’s not correct. Your 4 digit PIN is fully viewable in your account.
My Account > Account Settings > Account Security Information
George Kirikos says
GoDaddy has something called the “Domain Transfer Validation Service”:
which allows owners of high profile domain names to have greater security than is their default.
“You are making an explicit and voluntary request to Go Daddy to deny all attempts to transfer Your domain name to another registrar, or to move Your domain name to another account, unless You verify each request as described herein. You will provide Go Daddy with a contact name, phone number and PIN for domain transfer validations. You will be contacted by Go Daddy when a domain transfer is requested for a domain name in Your Go Daddy account. When Go Daddy receives a transfer request, Go Daddy will call You to verify the transfer request. If Go Daddy can not reach You with seventy-two (72) hours of receipt of the transfer request, the transfer will be denied. If You do not provide the proper PIN, the transfer will be denied. When Go Daddy receives a change of account request, Go Daddy will call You to verify the change request. If Go Daddy can not reach You with seventy-two (72) hours of receipt of the change request, the change will be denied. If You do not provide the proper PIN, the change will be denied.”
GoDaddy has refused to provide statistics on domain hijackings, yet they offer this “premium” service. If a registrant has validated the account change via this service, why does the name need to be held hostage for another 60 days? GoDaddy clients who’ve had their domains stolen have themselves to blame, given that they had the ability to opt-in to these proactive higher levels of security, but chose not to do so.
If GoDaddy wanted to increase security, they could make the “DOMAIN TRANSFER VALIDATION SERVICE” be free to all their clients. It’s their choice *not* to offer it for free. They should not be imposing costs upon legitimate registrants (forcing them to stay at an undesired registrar) through things they have 100% control over, namely their own validation procedures (or lack thereof).
The cost of such validation, by the way, is minimal. Most dentists have automated systems that send appointment reminders, for example, which would be comparable (instead of pressing “1” to accept the reminder, one could enter a PIN code instead to validate a transfer). With VOIP, outgoing calls around the world are very inexpensive.
“Actually, that’s not correct. Your 4 digit PIN is fully viewable in your account.”
Thanks Batfan for the correction.
I see GoDaddy calls it a Call-In Pin number.
When acquiring a domain at GD from another person/entity, I always initiate a transfer out instead of a push (unless that domain was in turn acquired in less than 60 days prior). Otherwise, one is required to accept the terms and conditions locking the domain down for 60 days in order to accept a domain push.
Andrew: Normally you are someone who doesn’t mind ruffling some feathers in the interests of journalistic objectivity.
Why is there no mention here of you asking Camille Ede why GoDaddy is doing this in beach of ICANN policy?
Your own experience indicates that this drives lots of people mad.
The really bizarre thing about it is that GoDaddy is one of the few registrars that enables you to affect an instant registrar transfer (out) without waiting for five days (I cant recall the technical term for the registry command, but GoDaddy provides it in your account consol).
George Kirikos says
Nic: That’s called the “ACK” command, I believe. Lots of other registrars allow one to confirm the outgoing transfer (e.g. Tucows, NSI, etc.) to make it finish more quickly.
Danny Pryor says
The issue I have (had) with GoDaddy is that the opt-in option is the default, and anyone who has ever visited the GoDaddy site knows there are myriad things happening on the screen, and sometimes the vital stuff is not apparent. My resolution to the innumerable issues that offended me (opt-in/opt-out was not even one of them) was to REMOVE all my domains from GoDaddy. I just believe (this is a personal belief that I am entitled to have) is that GoDaddy is a shyster outfit.
I’m pretty sure Netfirms and it’s sister company Nexx put a 30-60 day lock on domain names when the registrar data has been changed. I also recently purchased a .ca domain name that was grabbed from the TBR list from myID.ca and they are not transferring me the name for 60 days.
Not sure this is the case with Netsol. I have been able to transfer names out within a week of receiving them and having the registrant info changed to reflect my own.
I do believe the 60 day lock that Godaddy (and it’s resellers) impose upon info edit is at minimum, excessive. I lean towards it being both self-serving and against ICANN policy…
Hmmm now let me see… So it applies to the Registrant Name field… But not the email address because that would contravene ICANN’s mission to try and get registrants to keep the WHOIS as up to date as possible.
So how does that help with security?
With regards to being voluntary is it possible for the person buying the domain to do a transfer away or does it have to be the previous registrant? I.e if you don’t accept the [cough] “voluntary” lock are you unable to accept the name in your account in the first place?
Better for security by far is Fabulous.com’s usb stick that has to be inserted and button pressed to insert encrypted password before any changes that YOU choose can be made, such as transfer, contacts etc etc. Then no matter if you get hacked they cannot transfer domains out. Costs $50 for the usb stick but worth it.
Having worked at Godaddy, I can tell you they are far from a shyster outfit. The owner’s goal is to provide world class service. I’ve worked in many call centers and this one has way more training than any other. The 60 day lock can be overridden by a supervisor if you really NEED your domain transferred away so bad.
Why not just sell your domain and do a change of account on it to a free account for the person you sold it to and let them worry about it? This lock comes up very infrequently. I’ve had maybe 3 or 4 calls about it in 2 years, and I take like 30+ calls per day.
“I have read and agree to the Domain Name Change Registrant Agreement and understand the domain cannot be transferred within the next 60 days.”
This isn’t actually “OPTIONAL” – if you want to make any change then its not a matter of “opt-in” but rather “forced-in”.
Whats worse is their domain privacy nonsense. I had a domain on privacy – few days prior to wanting to transfer it out, I turned privacy off. Guess what that does… it removes all fields from your whois and it doesn’t leave behind a valid email address. SO in order to fix this, you need to update ALL contact details and get “forced-in”.
Its things like this that have made me move more than 200 domains out of GD. I still have 70-80 left there, but they’re getting moved at every opportunity I get.
Sharon Hayes says
I recently commented on FB about a situation we are dealing with. http://www.facebook.com/note.php?note_id=10150181310598175&comments rather than repeat it all here. The reason the 60 day lock happened in this case was because they wanted us to consolidate multiple accounts into one. They couldn’t do it for us because we had an SSL in the account. We actually had the domain for almost a year!
For chrissake! The admin email can be changed without initiating the GD lock, and that is all that needs to be changed in order for the domain to be transferred. The new registrant can change the contact information once the transfer is complete. For the record, the GD lock prevents transfers TO as well as from them so it is no sinister attempt to keep customers.
For chrissake! The admin email can be changed without initiating the GD lock, and that is all that needs to be changed in order for the domain to be transferred
If that is/was right then it’s about as much use a chocolate fireguard from a security perspective. So why have it at at all?
Andrew Allemann says
@ gpmgroup – true. I think the email is the most likely why a domain is stolen.
This is extortion by GoDaddy, nothing but pure blackmail – “Pay us or lose your domain”
What about the reseller account. I bought the domain name http://opensourcesidh.com from reseller account. The domain name will be transfer to me only after 60 days?.
I am bit confused.
David G says
I learned today that Godaddy actually has an email address to deal with/override this. Send an email to email@example.com Still cannot override ‘registrant’ changes, though, only changes in other contact info (eg. company name, phone number, etc.)
Adalie Belle says
I have a few domains hosted at GoDaddy, and it’s posting my address, phone number, and email address on my whois results.
It looks like they charge an exorbitant $10/year for “private registration” to hide this. Is that correct? Every other company I’ve used does this for free.
This means that my domains at GoDaddy will effectively cost me twice as much per year. Is there any way around this? e.g. I believe I can go into my GoDaddy and just change the details, but someone told me that doing so would hamper my ability to defend my ownership of the domain if it was contested. Any truth to that?
Having your details available to the internet is how it has always been with domains. It’s a stupid way things are set up but that is nothing special for godaddy. Also most registrars do not provide whois privacy for free. Not a defending godaddy but your thing is completely normal when it comes to domains.
I just bumped into this 60 day lock with godaddy. Namecheap log in was down a day and a half ago and I had to use godaddy to buy a domain. Now I am stuck at godaddy :<
I don’t think this is “safer” at all imo it’s just godaddy looking to cash in when people decide to vacate and can’t. Is there a way to appeal this non authorized lock of my domain?
I have a question I’m hoping someone can answer…
If I transfer my domain name to another GoDaddy account and the 60-day lock is applied to that domain name, will the email addresses I have set up with that domain still function, or will emails bounce back until the 60-day period expires?
Thanks in advance!
Misleading headline. There is no real way to avoid the lock, is there?
Just ran into this. Went to xfer out a few domain names and found that while I verify and update my icann contact info annually on all domains (each having identical records for all contact types), godaddy has somehow corrupted or malformed all contact info except “admin” on my accounts thus restricting other registrars that have automated systems dependent upon the whois lookup for transfers. Updating the email address is not enough apparently and many registrars require the “organization name” to be present or possibly even all contact fields complete. If it’s not, no go. In my case, a portion of the actual address appears to be copied into each field as if their system had a malfunction but fields such as the org name are now empty.
I’ve sent an email to firstname.lastname@example.org to fix this but in my opinion this is completely “shyster” type of activity otherwise its just really bad timing or convenient for godaddy to have a system glitch, a type of glitch that causes a 60-day lock out, right before a domain expiration. Additionally, it is not “opt-in” it is “forced-in” as they provide no way to update the contact information without agreeing to the lock out. Icann violation for sure. https://archive.icann.org/en/transfers/policy-12jul04.htm
File complaints here: https://forms.icann.org/en/resources/compliance/complaints/transfer/form
My domain sunrizetravelntours.com is also locked by godaddy. I missed to change privacy option while received code for transfer. After that I found domain is locked. It is expired on 13th June’17.
Richard Robbins says
I’ve seen multiple people on GoDaddy’s boards saying that they only changed their contact email and got the 60-day lock: https://community.godaddy.com/s/question/0D53t00006VmW2CCAV/how-to-override-the-60-day-transfer-lock
If that’s true, apparently the 60-day lock applies to more than just updating company or contact information.