Security and abuse mitigation locks
The Dragon RSP platform supports a range of locking functionality, which utilises industry standard technology in the Extensible Provisioning Protocol (“EPP”), to manage the security of domain names as well as abuse mitigation.
Registrar Lock
All registries on the Dragon RSP platform have the option to configure a registrar lock as standard. Registrar lock is defined though EPP ‘client’ statuses which can be applied to domain, host or contact objects in the registry individually.
Registrar Lock can be updated by a registrar through EPP or Dragon Domain Manager without any further credential challenges; therefore if a registrars machines have been compromised the lock can be removed.
Registrars are able to set one or more of the following EPP statuses as part of a registrar lock:
It is a common misconception that locking of a domain name will also prevent changes to the nameserver hosts or contact data associated with a domain. Each Domain, Host or Contact object requires to be locked independently of each other. (For example if a domain name has update prohibited set, the renaming of the host object can result a change in DNS.)
Registry Lock
Registry Lock is a premium locking service available in select registries on the Dragon RSP platform, which are charged monthly to the registrar. The lock is charged at the rate set for the particular registry for any month in which the lock is active, irrespective of the period of time.
Unlike Registrar Lock, Registry Lock cannot be updated through automated EPP processes and therefore compromising a registrars network will not provide an attack vector on the domain, host or contact information.
Domains, Hosts and Contact objects can be:
- Locked
- Temporarily unlocked, with automated re-locking applied after 15 minutes by the registry.
- Unlocked
All actions on the lock require a response to a two factors authentication (2FA) challenge within Dragon Domain Manager.
Registrars are able to set one or more of the following EPP statuses as part of a Registry Lock for a standard per registry price:
| serverDeleteProhibited | Requests by the registrar to delete the domain, host or contact object must be rejected. |
| serverTransferProhibited | The registry will reject requests to transfer the domain or contact from your current registrar to another even when they provide a valid Transfer Authorisation Code. |
| serverUpdateProhibited | Requests to update the domain, host or contact object will be rejected. |
It is a common misconception that locking of a domain name will also prevent changes to the nameserver hosts or contact data associated with a domain. Each Domain, Host or Contact object requires to be locked independently of each other. (For example if a domain name has update prohibited set, the renaming of the host object can result a change in DNS.)
Registry Operator Lock
These locks are applied by the Registry Operator and are not in the control of the registrar. They may be applied for various reasons including but not limited to security, policy, abuse mitigation or a legal order preventing changes.
| serverDeleteProhibited | Requests by the registrar to delete the domain, host or contact object must be rejected. |
| serverHold | The domain will not resolve on the internet, it has been suspended or put on hold by the Registry Operator. |
| serverRenewProhibited | The registry will not accept a renewal command sent by the registrar. This has no impact on auto-renewals at the time of expiry. |
| serverTransferProhibited | The registry will reject requests to transfer the domain or contact from your current registrar to another even when they provide a valid Transfer Authorisation Code. |
| serverUpdateProhibited | Requests to update the domain, host or contact object will be rejected. We recommend that it is good practice to apply this as default. |
Minerva House, Edmund Halley Road, Oxford Science Park, OX4 4DQ, United Kingdom