IMPORTANT: New ICANN Policy "Whois Accuracy Program"

Were you aware of the Whois Accuracy Program before Zoneedit told you about it?

  • yes

    Votes: 5 31.3%
  • no

    Votes: 11 68.8%

  • Total voters
    16

Mark Jeftovic (#fb)

Administrator
Staff member
There is a new ICANN policy that affects ALL REGISTRARS whether you are using Zoneedit for your .com/.net/.org domains (which makes easyDNS your Registrar-of-record) or Zoneedit for country-code (ccTLD) domains (which makes Tucows your Registrar with easyDNS/Zoneedit as your Reseller) or even if you are not using Zoneedit at all but some other Registrar.

It's called The Whois Accuracy Program, we initially blogged about it on the easyDNS blog:

We have now posted the Whois Accuracy Program mini-FAQ into the Support Zone.

You will need to navigate this process whenever you transfer one of your domains to Zoneedit or register a new one.

You are strongly urged to read and familiarize yourself with this new policy as it affects ALL your .com/.net/.org and new TLD domains.

Finally, to re-iterate, this affects all Registrars, it is not just "a Zoneedit thing".
 

NathanT

New Member
I don't know if this is really "new." Perhaps there is something "new" about this; but as described in the e-mail I received today from EasyDNS (Zoneedit) its pretty much the exact same process I have had to go through annually with GoDaddy to ensure my WhoIs contact information is accurate for at least the past six years [yep and reading through the FAQ does indeed indicate it has been since 2009--my memory was pretty good]. And GoDaddy has proclaimed they do that in accordance with ICANN's requirements; so I assume the only real change here is that sometimes this verification process is also triggered when certain changes are requested (a sensible approach to security when making changes to such records); in addition to the annual verification process.

I can no longer comment on the "Unfortunately, We have renewed our ICANN accreditation" article; but to those who seem to have been having problems with their e-mail being down so they can't get the notice; I would say give a little forethought advice. It seems to me to be common sense that when registering any domain; you should use a contact e-mail that is NOT @ of any of your domain names; but rather should always be tied to a primary e-mail address (such as an e-mail setup by your ISP, or a gmail/msn/yahoo address); so that the ability for your domain name to be working is not at the mercy of your domain name already working. Just common sense and forethought.

Otherwise avoiding phishing generally is a matter of logging into the website directly (rather than through the link) and then performing the action to verify the information from there. I would hope that EasyDNS has similar process, even if they send the e-mail; that you don't have to click the link but rather log in to the control panel as normal and then verify it thereby. If not, EasyDNS/Zoneedit should really make sure they implement such a policy.
 
Last edited:

lkmhaqer

New Member
I don't know if this is really "new." Perhaps there is something "new" about this; but as described in the e-mail I received today from EasyDNS (Zoneedit) its pretty much the exact same process I have had to go through annually with GoDaddy to ensure my WhoIs contact information is accurate for at least the past six years [yep and reading through the FAQ does indeed indicate it has been since 2009--my memory was pretty good]. And GoDaddy has proclaimed they do that in accordance with ICANN's requirements; so I assume the only real change here is that sometimes this verification process is also triggered when certain changes are requested (a sensible approach to security when making changes to such records); in addition to the annual verification process.

I can no longer comment on the "Unfortunately, We have renewed our ICANN accreditation" article; but to those who seem to have been having problems with their e-mail being down so they can't get the notice; I would say give a little forethought advice. It seems to me to be common sense that when registering any domain; you should use a contact e-mail that is NOT @ of any of your domain names; but rather should always be tied to a primary e-mail address (such as an e-mail setup by your ISP, or a gmail/msn/yahoo address); so that the ability for your domain name to be working is not at the mercy of your domain name already working. Just common sense and forethought.

Otherwise avoiding phishing generally is a matter of logging into the website directly (rather than through the link) and then performing the action to verify the information from there. I would hope that EasyDNS has similar process, even if they send the e-mail; that you don't have to click the link but rather log in to the control panel as normal and then verify it thereby. If not, EasyDNS/Zoneedit should really make sure they implement such a policy.

Nathan, not sure if you caught it or not, but the changes put in place now are that ICANN is forcing registrars to suspend domains after 15 days of any whois data changes without verification. Before, it was more of a nag, and not really actionable. This in and of itself may be seen as harmless, but it is the teeth that will give ICANN the ability to enforce proposals such as ppsai-initial-05may15. I'm fine with improving the internet, but I'm very weary of the privacy concerns given in that working group, and a bit oppositional to moving in this direction if this is the desired outcome.

As for the verification process itself, have you never had an email make it into spam and gone unnoticed? If not than congrats, you're a more perfect human than I :) If not, then maybe you can understand that suspending the domain after only email contact, no phone or snail mail, and after only 15 days for domains that have been operating for years, seems a bit rash.

Also, it's 2015 and you still use GoDaddy? I won't judge :)
 

Mark Jeftovic (#fb)

Administrator
Staff member
I don't know if this is really "new." Perhaps there is something "new" about this; but as described in the e-mail I received today from EasyDNS (Zoneedit) its pretty much the exact same process I have had to go through annually with GoDaddy to ensure my WhoIs contact information is accurate for at least the past six years [yep and reading through the FAQ does indeed indicate it has been since 2009--my memory was pretty good]. And GoDaddy has proclaimed they do that in accordance with ICANN's requirements; so I assume the only real change here is that sometimes this verification process is also triggered when certain changes are requested (a sensible approach to security when making changes to such records); in addition to the annual verification process.

Nathan, you are referring to WDRP notices (Whois Data Reminder Program), which have been around for years, they are ICANN mandated, but there is no penalty for ignoring them. The Whois Accuracy Program (WAP) is new, cannot be ignored, because if you do, your site will be suspended after 15 days. The confusion between WDRP and WAP is yet another implementation blunder on the part of ICANN which I spoke to in my latest public comments to them (about their plans to gut Whois Privacy):

http://blog.easydns.org/2015/07/02/confessions-of-an-ex-opponent-of-whois-privacy/

Wherein I observed:

"What makes WAP so pernicious is that to the average Registrant there is no discernible difference between a WDRP notice (which can be safely ignored) and a WAP notice (which can't!) "

(I also mentioned in that article that the guy who created the WDRP, the original program you mention, has gone on record to say that the policy is a failure and should be killed). Instead, ICANN has doubled down on an even worse policy and kept them both in place.

Otherwise avoiding phishing generally is a matter of logging into the website directly (rather than through the link) and then performing the action to verify the information from there. I would hope that EasyDNS has similar process, even if they send the e-mail; that you don't have to click the link but rather log in to the control panel as normal and then verify it thereby. If not, EasyDNS/Zoneedit should really make sure they implement such a policy.

I wish it were that sensible, alas we're talking ICANN, and the policy says you must transmit a unique code to the Registrant via email or SMS and have them re-enter it. So whether the right way to do it is as you describe is immaterial. The policy is setup to lose and it's going to burn a lot of people. This is why we're making the big push to clue in as many customers as possible.
 

NathanT

New Member
As for the verification process itself, have you never had an email make it into spam and gone unnoticed? If not than congrats, you're a more perfect human than I :) If not, ... Also, it's 2015 and you still use GoDaddy? I won't judge :)

LOL... a very imperfect human here; but one with the observation of the fallacy of believing that one can block spam by using any type of anti-spam software out there [an observation that has proved true for as long as spam has been around]. Indeed the very reason I run my own e-mail server (the need for having a domain name); is because using spam filters ALWAYS have false positives. I avoid that by using NO spam filters at all; and the way I avoid getting tons of spam is simply by using separate e-mail addresses (aliases) for every entity I do business with (note: also helps to avoid phishing too, if a message claims to be from someone but comes in on another address, its a phish).

Judge me anyway you want; but it was a sound financial decision; at originally $10 per year for domain names (the absolute cheapest at the time--compared to $70 per year with NSI the most expensive) and years later as I was dating and before getting married where my finances became far less certain I renewed with a 10 year at $80; I will be with GoDaddy at least until fall of next year... Then it would depend on whether or not changing to anyone else is worth the hassle. I have heard many horror stories from many people about EVERY registrar when it comes to transfers; so someone would have to offer me a tremendous better deal (such as lifetime registration for $80) for me to make the switch.

Of course the only reason I am using EasyDNS is because when I first started dealing with my employer's domain names NSI (ICANN) wasn't legally allowed to do DNS and no ISP in my area would do it because none wanted businesses to run their own servers (they wanted to be paid extra money to "co-locate"); and then when things were split and GoDaddy came on the scene they either didn't do DNS at the time or didn't do it as well as ZoneEdit, so I stayed with ZoneEdit; even when I got my personal domain name.
 
Last edited:

NathanT

New Member
... I wish it were that sensible, alas we're talking ICANN, and the policy says you must transmit a unique code to the Registrant via email or SMS and have them re-enter it. So whether the right way to do it is as you describe is immaterial. The policy is setup to lose and it's going to burn a lot of people. This is why we're making the big push to clue in as many customers as possible.

I did catch that it was actionable at 15 days, just didn't realize that was "new." The rather rough tune of GoDaddy's e-mails made me to believe it was previously actionable, and a lot worse than just disabling the website; they made it sound as if I would be charged criminally if I failed to provide accurate information.

That said, I still don't see your issue. EasyDNS should be able to transmit any code required to in the e-mail; but still provide a manner of resolving the verification for update via logging into the control panel, verifying the need to verify the information (as to make it noticeable if the e-mail was a phish or was valid) and then validate the update/verify the information via entering the code. Granted, I am not privy on requirements that ICANN has for registrar's and could only take your word for it; but I somehow suspect the exact details are not mandated that such validation can only be accomplished via a link in an e-mail. I can't believe ICANN would be run by that stupid of people knowing the industry standard security is to tell people not to click on links in e-mails; but rather log directly into websites.

P.S. thanks for cluing me in as to the nature of the cause. I won't worry about it; but if somehow by some weird manner my domain name disappears, I will at least know where to begin to look.
 

lkmhaqer

New Member
Aye, don't want to derail too much, but my motivation to avoid GoDaddy is not economic. That is a pretty good deal, honestly, I swear no judgement :)

I also find that the process of whois verification is pretty straight forward, but my thoughts are with those that own domains that are not as technically inclined. Some people used email addresses they no longer have access too, and don't realize that till it's too late. Others simply don't know who is hosting/owns/bought their domain X many years ago when they set it up. For every technically apt website owner I talk too, there are ten that are hopelessly lost, which while unfortunate and probably a bit bias since I work in support, is a bit of a dis-service to them as people that rely on their domains for income. I just feel that this particular move could have been setup a bit more elegantly, and with more time. This is without concerns for future proposals that seek to eliminate privacy even more. Just my two cents.

Either way, I hope this thread sees some other people's ideas on this change. If you are reading this and have anything to add or criticize, please do.
 
Top