French domains have eligibility requirements, which I met when I
registered a domain in 2013. In July 2023 I received a notification from
AFNIC (via my registrar, Gandi) saying if I couldn't prove eligibility,
they would suspend my domain in 7 days, and delete it in 30 days.
I figured there had been some mistake, and replied with eligibility
documents to prove eligibility. While waiting for a response, my partner
told me that she had tried to email me, but got a bounceback. Uh oh. My
domain was locked, whois was reporting ‘status: blocked’, its DNS records
were NXDOMAINing, and emails weren’t being delivered. Not good!
This was inconvenient since my domain was used to email for all sorts of
accounts: housing, government, finance, shopping, friends, etc.
Here’s the plan I came up with and followed, and some lessons learned from
the situation.
Audit DNS zonefile to see what else was on this domain: not much
thankfully!
Audit the last 2 months of email, to identify any frequent or recent
emails sent to this domain, and update email address on accounts.
Think through the risks of account takeover, if/when the domain is
registered by someone with eligibility.
Over the next few days, audit last 2 years of emails, and update those
too.
Try to appeal?
I received a response saying that though I had once been
eligibility, I no longer was eligible, and that I would soon lose
ownership.
At this point I'd already mitigated most of the damage, so gave up
on it.
Lessons learned
Ironically, I use a custom domain for email for naming longevity and the
rights that come with domain ownership. Lesson: just because there are
rights granted to some, doesn’t mean they’re granted to me.
I should pick TLDs with looser eligibility requirements.
Things that went well
Nothing too bad happened! I learned of the issue quickly, saw most
recent emails were low value, and was able to change email address on
most accounts.
It felt liberating?
Though I lost the domain, I was able to transfer ownership of it to a
friend who could prove eligibility.
Thanks for Gandi for helping escalate this with AFNIC. I'm not sure
how well smaller registrar's would have fared here.
Things that went poorly
Having little timezone overlap with my registrar and registry meant most
communications went through a 24-hour roundtrip.
This would have been worse if my registrar and registry were in
different timezones: I have more flexible hours than their support
teams.
I lost access to some sites
Sites that I relied on "Login via email link" rather than
username-password: healthchecks.io, liberapay, ...
Sites that don’t support renames: Epic Games, shopping, ...
I had e-tickets sent to this domain for an event I was attending. I
couldn’t update the email address, so didn’t receive any ticket
updates that might have been sent. The event went fine though!
Things that were lucky
I only used this domain for email addresses on some accounts, rather
than anything public (e.g. websites, GIT_COMMITTER_EMAIL)
My partner noticed her email to me had bounced.
I usually have monitoring for websites, but this domain was
email-only, so I had no automated alerts.
I’ve since added DNS monitoring for all domains.
I only lost DNS on one domain! If my DNS provider blocked my domains
(for whatever reasons), that would have been more inconvenient.