Sudden loss of domain
French domains have eligibility requirements, which I met when I
registered a domain in 2013. In July 2023 I received a notification from
AFNIC (via my registrar, Gandi) saying if I couldn't prove eligibility,
they would suspend my domain in 7 days, and delete it in 30 days.
I figured there had been some mistake, and replied with eligibility
documents to prove eligibility. While waiting for a response, my partner
told me that she had tried to email me, but got a bounceback. Uh oh. My
domain was locked, whois was reporting ‘status: blocked’, its DNS
records were NXDOMAINing, and emails weren’t being delivered. Not
good!
This was inconvenient since my domain was used to email for all sorts
of accounts: housing, government, finance, shopping, friends, etc.
Here’s the plan I came up with and followed, and some lessons learned
from the situation.
- Audit DNS zonefile to see what else was on this domain: not much
thankfully!
- Audit the last 2 months of email, to identify any frequent or recent
emails sent to this domain, and update email address on accounts.
- Think through the risks of account takeover, if/when the domain is
registered by someone with eligibility.
- Over the next few days, audit last 2 years of emails, and update
those too.
- Try to appeal?
- I received a response saying that though I had once been
eligibility, I no longer was eligible, and that I would soon lose
ownership.
- At this point I'd already mitigated most of the damage, so gave up
on it.
Lessons learned
- Ironically, I use a custom domain for email for naming longevity and
the rights that come with domain ownership. Lesson: just because there
are rights granted to some, doesn’t mean they’re granted to me.
- I should pick TLDs with looser eligibility requirements.
Things that went well
- Nothing too bad happened! I learned of the issue quickly, saw most
recent emails were low value, and was able to change email address on
most accounts.
- It felt liberating?
- Though I lost the domain, I was able to transfer ownership of it to
a friend who could prove eligibility.
- Thanks for Gandi for helping escalate this with AFNIC. I'm not sure
how well smaller registrar's would have fared here.
Things that went poorly
- Having little timezone overlap with my registrar and registry meant
most communications went through a 24-hour roundtrip.
- This would have been worse if my registrar and registry were in
different timezones: I have more flexible hours than their support
teams.
- I lost access to some sites
- Sites that I relied on "Login via email link" rather than
username-password: healthchecks.io, liberapay, ...
- Sites that don’t support renames: Epic Games, shopping, ...
- I had e-tickets sent to this domain for an event I was attending. I
couldn’t update the email address, so didn’t receive any ticket updates
that might have been sent. The event went fine though!
Things that were lucky
- I only used this domain for email addresses on some accounts, rather
than anything public (e.g. websites, GIT_COMMITTER_EMAIL)
- My partner noticed her email to me had bounced.
- I usually have monitoring for websites, but this domain was
email-only, so I had no automated alerts.
- I’ve since added DNS monitoring for all domains.
- I only lost DNS on one domain! If my DNS provider blocked my domains
(for whatever reasons), that would have been more inconvenient.