> With a registry lock in place, your registrar cannot move your domain to another registrar on its own. Doing so requires manual contact verification by the appropriate domain registry, such as Verisign — which is the authoritative registry for all domains ending in .com, .net, .name, .cc, .tv, .edu, .gov and .jobs.
Putting a 'registry' lock into place has upside and downside. As mentioned in the story the downside is in an emergency it's harder to make a change because of the friction of another step to make a change (and that means any change even DNS servers).
That said it still doesn't prevent social engineering. The implication in the article is that if you social engineer a CSR at a registrar the registrar having to have another step to get a domain unlocked (contact the registry ie in the case of .com et all Verisign) then someone will say 'hmm let's be sure on this'. In theory why would this happen? Once someone has been social engineered that's that, right? (I mean sure it's another step and sure that could mean someone thinks more but...)
Now let's say you take care of a domain using registry lock. What is the tradeoff if someone gains access to your dns servers and you need to change those servers but you can't do that easily because a domain is registry locked and now you need to depend on a registrar to contact the registry and get that done. How quickly will that happen?
My point is it's not a non-trivial decision to make at all and the downside has to be taken into consideration.
One last point. There are procedures in place if a domain is transferred to another registrar to get it back to the original registrar. The best advice is to setup some kind of manual monitoring (not dependent on a registrar) where you periodically check the registry whois for the domain and note any changes to it (dns or otherwise).
Putting a 'registry' lock into place has upside and downside. As mentioned in the story the downside is in an emergency it's harder to make a change because of the friction of another step to make a change (and that means any change even DNS servers).
That said it still doesn't prevent social engineering. The implication in the article is that if you social engineer a CSR at a registrar the registrar having to have another step to get a domain unlocked (contact the registry ie in the case of .com et all Verisign) then someone will say 'hmm let's be sure on this'. In theory why would this happen? Once someone has been social engineered that's that, right? (I mean sure it's another step and sure that could mean someone thinks more but...)
Now let's say you take care of a domain using registry lock. What is the tradeoff if someone gains access to your dns servers and you need to change those servers but you can't do that easily because a domain is registry locked and now you need to depend on a registrar to contact the registry and get that done. How quickly will that happen?
My point is it's not a non-trivial decision to make at all and the downside has to be taken into consideration.
One last point. There are procedures in place if a domain is transferred to another registrar to get it back to the original registrar. The best advice is to setup some kind of manual monitoring (not dependent on a registrar) where you periodically check the registry whois for the domain and note any changes to it (dns or otherwise).