[nitinag]

Competitor registrar here. This is actually required by the new 2013 ICANN contract. Not all registrars are on the new contract yet, but those that have already signed are required to start following it as of January.

Link: http://www.icann.org/en/resources/registrars/raa/approved-wi...

You can thank the law enforcement lobby and ICANN wanting to keep them happy. All of us registrars fought hard against it for a number of obvious reasons, but they went forward with it anyway.

Almost all registrars will be on the new contract soon if they already aren't because ICANN made it a requirement to be able to sell the new GTLDs. This is now going to be a normal part of owning a domain name.

[rossjudson]

Can you clarify what the 'obvious reasons' are, for those who are not domain experts?

[belorn]

Example 1: You are a large company, and registered 200 domain names for various products, spellings, local shops and such.

That is 200 verification emails, which now need to be pressed or whoops, no more working web shop, email!, and internal API will stop working and so on. Remember that broken DNS will cause emails to bounce rather than being resent later by the mail server.

Example 2: A company is changing name/owner, and in middle of all this need to register new domain name. Whoops, forgot to activate in all that?

Example 3: technical contact is on vacation.

[talideon]

Your first example isn't correct. As with the existing WDRP emails that people receive, registrars can batch the verifications. Also, verification doesn't need to be done on a domain-by-domain basis, but on a contact-by-contact basis, thus if all 200 domains use the same one contact in all roles, only one verification needs to be done.

Of course, if your registrar doesn't manage contacts as separate objects from domains (and some don't), they yeah, you'll end up getting a boatload of verification emails.

You'll also start finding a bunch of registrars doing email address checks to ensure deliverability before any registrations or contact updates are performed: this is for the customer's good and the registrar's good.

Registrars have to make a best effort to contact the customer by email. That means that if the email does bounce initially (due to DNS issues, full mailbox, &c.), it's up to the registrar to try again until the grace period expires.

Your second one isn't correct: if your contact has already been verified, there's no need to verified again. It's only if the contact is new or updated that verification needs to be done.

In the third case, you should be using roles, not individuals. Mail aliases were invented for a reason: no one person should be receiving these emails, so it's really your own tough luck if you're a business and you're not ensuring that there's somebody always able to receive and process the emails. Moreover, verification happens when a contact is created or updated, so it should be an address with somebody immediately able to process the verification request.

As far as my ability to write authoritatively on the subject goes, I'm the development lead for a registrar, and implemented most of our domain management system myself.

[MichaelGG]

Not a domain expert, but I think the obvious reason of having your domains get deactivated because you didn't check email to be rather silly.

[talideon]

While I'm personally not a fan, it's not all that silly. If you've registered a domain in the past, your registrar likely invoices you by emailing you the invoice when your domain comes up for renewal (margins are so tight that it's the only cost-effective way). And if you're not checking your mail and you haven't authorised them to automatically charge your credit card, it's possible to miss your payment reminders, which could lead your domain to go into redemption and be deleted for non-payment.

Also, the verification checks only need to be done after you initially submit your contact details or after you attempt to change them, so it shouldn't be too much of an issue.

The big problem that registrars face is that law enforcement want us, the registrars, to verify phone numbers and addresses too, which is going to push up costs quite a bit, even if we find ways of doing so without having to actually phone people.

It's going to suck.

[MichaelGG]

Verifying a phone number should be pretty easy - auto-call, force them to enter a code. Apart from calling cell phones and some countries, it shouldn't cost more than a few pennies.

Verifying addresses sounds like a real pain though. I imagine they'd want a scan of some ID or something else just as silly. Hopefully ICANN can push back on LE.

[talideon]

Less straightforward than you'd think. Ideally, it'd just be a matter of a text or call and having them input a code, but the costs lie in the failure state: we already deal with a large number of ccTLD registries, and many of those, including the IEDR (.ie) who we deal with regularly, require some form of documentation to allow domains to be registered, contacts to be updated, &c. Even with a 30% gross margin on .ie domains, the support costs with a highly automated application documentation submission process are high enough that we don't actually make much money on two-year registrations until the first renewal.

Thankfully, the new requirements for gTLDs aren't quite that onerous: we have to contact them to validate phone numbers and emails (which can mostly be automated), and we only have to ensure that the address provided is valid. That said, the costs involved in address verification aren't small, and we're hedging potential savings in avoiding fraudulent customers against the additional costs involved.

ICANN can't push back against the LEAs though: this stuff is now in the contract, so we're all stuck with it.

[talideon]

Some of us are waiting on ICANN to process waivers so that we can opt out of certain requirements of the 2013 RAA that are contrary to our local law, but ICANN are dragging their heels on processing the waiver requests. That's especially an issue for European registrars like ourselves, as we have stricter data privacy laws than the US does.

The verification and validation requirements the LEAs pushed down our throats are still crazy, even if they're not as bad now as what they were initially looking for.

[scintill76]

> You can thank the law enforcement lobby and ICANN wanting to keep them happy.

Yeah, because there's absolutely no way to have an anonymous email address... /s But seriously, what does law enforcement think this will accomplish? I could see ICANN wanting to cut down on squatters or other domain delinquents, but for tracking down criminals this seems pointless. If anyone has theories or info on what they hope to accomplish I'd be interested.

[nwh]

If domains weren't obnoxious enough to deal with, a combination of contact verification and hundreds of new top level domains really is just icing on the cake. I just renewed my domains so that I don't have to bother with verification for a while, and somehow the amount of upselling is just astounding.