French domains have eligibility requirements, which I met when
I registered a domain in 2013. In July 2023 I received a
notification from AFNIC (via my registrar, Gandi) saying if I
couldn't prove eligibility, they would suspend my domain in 7
days, and delete it in 30 days.
I figured there had been some mistake, and replied with
eligibility documents to prove eligibility. While waiting for a
response, my partner told me that she had tried to email me, but
got a bounceback. Uh oh. My domain was locked, whois was
reporting ‘status: blocked’, its DNS records were NXDOMAINing,
and emails weren’t being delivered. Not good!
This was inconvenient since my domain was used to email for
all sorts of accounts: housing, government, finance, shopping,
friends, etc.
Here’s the plan I came up with and followed, and some lessons
learned from the situation.
Audit DNS zonefile to see what else was on this domain: not
much thankfully!
Audit the last 2 months of email, to identify any frequent
or recent emails sent to this domain, and update email address
on accounts.
Think through the risks of account takeover, if/when the
domain is registered by someone with eligibility.
Over the next few days, audit last 2 years of emails, and
update those too.
Try to appeal?
I received a response saying that though I had once
been eligibility, I no longer was eligible, and that I
would soon lose ownership.
At this point I'd already mitigated most of the damage,
so gave up on it.
Lessons learned
Ironically, I use a custom domain for email for naming
longevity and the rights that come with domain ownership.
Lesson: just because there are rights granted to some, doesn’t
mean they’re granted to me.
I should pick TLDs with looser eligibility
requirements.
Things that went well
Nothing too bad happened! I learned of the issue quickly,
saw most recent emails were low value, and was able to change
email address on most accounts.
It felt liberating?
Though I lost the domain, I was able to transfer ownership
of it to a friend who could prove eligibility.
Thanks for Gandi for helping escalate this with AFNIC.
I'm not sure how well smaller registrar's would have fared
here.
Things that went poorly
Having little timezone overlap with my registrar and
registry meant most communications went through a 24-hour
roundtrip.
This would have been worse if my registrar and registry
were in different timezones: I have more flexible hours
than their support teams.
I lost access to some sites
Sites that I relied on "Login via email link" rather
than username-password: healthchecks.io, liberapay,
...
Sites that don’t support renames: Epic Games, shopping,
...
I had e-tickets sent to this domain for an event I was
attending. I couldn’t update the email address, so didn’t
receive any ticket updates that might have been sent. The
event went fine though!
Things that were lucky
I only used this domain for email addresses on some
accounts, rather than anything public (e.g. websites,
GIT_COMMITTER_EMAIL)
My partner noticed her email to me had bounced.
I usually have monitoring for websites, but this domain
was email-only, so I had no automated alerts.
I’ve since added DNS monitoring for all domains.
I only lost DNS on one domain! If my DNS provider blocked
my domains (for whatever reasons), that would have been more
inconvenient.