[bluehatbrit]

Isn't this the case with every DNS provider? If you're not using them as a registra but want to switch DNS providers you'll want to be able to load in all your DNS settings before hand. As long as your NS records aren't pointing to them it's perfectly fine. DigitalOcean, Route53, they all work the same in my experience.

I don't really get what Cloudflare did wrong here. Someone tried to transfer your domain name and your registra blocked it because you hadn't authorised it, what exactly was the problem?

Not a shill for them or anything, but I don't really understand what you're expecting them to do differently to everyone else.

[warrenm]

>I don't really get what Cloudflare did wrong here. Someone tried to transfer your domain name and your registra blocked it because you hadn't authorised it, what exactly was the problem?

Cloudflare refused to engage with the problem, offloading their legal responsibility (for enabling theft and fraud) onto me - the domain registrant

As it was, for a few days (because Cloudflare's developed a reputation of being "trustworthy"), my domains mostly didn't resolve - and not just for people who use Cloudflare's public DNS resolver

I, for one, am not OK with Cloudflare enabling this kind of fraud

[bluehatbrit]

> my domains mostly didn't resolve - and not just for people who use Cloudflare's public DNS resolver

Right this makes total sense as to why you're frustrated with them, I would be to. From what you'd said previously it sounded like you were annoyed they wouldn't take responsibility for something they're not the registra for which seemed a bit unfair on them. If they actually started diverting traffic in some way before the transfer had been rejected then that's pretty bad.

[warrenm]

>If they actually started diverting traffic in some way before the transfer had been rejected then that's pretty bad.

They did

And continued to do so for ~1 week until I was able to claim back the fraudulent account (thankfully the scamsters had used a real email associated with me (but not with the domains, oddly enough), so I was eventually able to enable 2fa on it and shut it down

[warrenm]

I've never seen it anywhere else :: if this is what you consider "normal"...I'm kinda concerned you don't understand the security implications of [attempted] thefts like this

Whomever was trying to steal access to my domains was trying to overrule the authoritative status of my registrar's DNS servers

[bluehatbrit]

All you said here was that a DNS service is letting someone list DNS records for a domain. That's totally harmless if your domains NS records aren't pointed at their nameservers. You can do this with Route53 and DigitalOcean right now if you want but it won't have any impact because your domain name NS records point to your DNS provider.

As you mentioned in your other comment though, which you hadn't mentioned previously, cloudflare's DNS resolver started using their records before they'd actually received control of the domain (which was of course rejected). That's really bad and surprising, but allowing someone to setup DNS records for a domain name isn't a problem and is required in some situations for DNS migrations.

[warrenm]

Merely creating a DNS record that remains unused? Sure

That happens

Activating said DNS record when you have no authority to do so?

That's bad

Very bad