I recall a time when a company I had association with lost their main domains due to a failed renewal. In this case it was a long-term employee who left the company that had loads of company bills going to his card. He cancelled the card sometime after he left and the domains were not renewed. I’m not sure where the renewal failure emails were going but probably some unmonitored admin email box.
These were very important domains. Without them, this $1 billion+ company immediately lost all of its ability to generate revenue. It was quite shocking.
The problem was discovered when users started getting the registrar’s landing pages rather than the company website pages. It was fixed relatively quickly once identified but do to DNS propagation took about 48 hours for complete resolution. During the window unrecoverable revenue well into the hundreds of thousands was lost.
It seems to me that a domain renewal is always a risk, even with a highly reliable registrar. A good defense is to limit the renewals for important domains by registering them for as long as possible (10 years). Even then you have a weak spot because your credit card will be expired by then so you should back that up with a calendar reminder a few months prior to renewal to make sure everything is set.
> A good defense is to limit the renewals for important domains by registering them for as long as possible (10 years)
This is an interesting take. I prefer the opposite approach: choose the shortest possible registration window (1 year), and have a very clearly defined, properly-documented renewal process that multiple people at the company understand. It's unlikely that all of those people leave the company in a 1-year window, so the knowledge gets passed on reliably.
If a renewal happens only once every 10 years, then it seems very likely that the person responsible for it has moved on, knowledge around the process is lost, and at best the documentation is very out-of-date (but more likely it's missing).
My process is to have a shared calendar for these high-risk renewals. Top company officers should be on this calendar (CEO, CTO, and some engineering VPs). The calendar contains recurring events for domain and SSL cert renewals. These calendar events are set up for about 1-month before the actual renewal, and fire reminder emails at several intervals beforehand (in case people are away or on PTO).
Why not renew for ten years, then every year extend it by one more year. Best of both worlds and if something screws up, you have 9 more years to fix it.
While this statistically might be true, I believe that this is completely dependent on one's personality. Having extra chances to remedy a trouble (which, as can be seen from the article, may occur due to reasons completely out of hand) has notable benefits, such as eliminating such prolonged downtimes.
It is like having replacement toothpaste ready for your bathroom. It is such a nuisance to go out and buy it on the day it runs out, and more likely to have a day without if you do not keep replacements ready.
No, for SSL certificates there's value in having a short expiry. For example if the private keys leak. There's no value in having a domain name (that you want to keep) expire.
The value is in forcing you to keep it in mind. You don’t forget about things you have to do every 3 months as easily as something you have to do every 10 years.
I personally found a period of 1-2 year to be the absolute worst. On the next cycle the man is gone because it's past the average tenure. The emails about it were lost or auto deleted. Any documentation or process is useless because the company or the supplier has changed.
To have a process be remembered, make it monthly or quarterly.
This is why it's important to use job scheduler software, admined by a NOC, to generate your own internal reminder emails set for a specific date and time in the future. The process of renewing a domain or buying anything that requires renewal should include a step to create the future reminder job.
This is vastly more powerful than you need to simply call a shell script which generates SMTP email to your noc@companyname.com address, but can serve the purpose:
You can use this for all sorts of things like maintenance notifications, automated emails to a facilities group on N schedule to change air conditioning filters, whatever needs to occur on a specific recurring time schedule.
It's also important that these notifications are sent to an address that is permanently assigned to a role, e.g. noc@company.com, rather than to any particular person, e.g. steve@company.com. Steve might not be there the next time those domains come up for renewal.
The same rule applies to any email address that you use to purchase and renew domains and other critical services. If renewal emails are being sent to someone who doesn't work there anymore, something is very wrong.
The monthly process isn't necessarily to renew domains - it is to assess the situation to see if there are any that need renewing soon. Many months nothing will need doing, a couple of months per year something will need action.
Even as a small company we have a number of regular infrastructure reviews. Most of the time we just go through the review, find nothing has changed unexpectedly and no new ideas need bringing to the table, we sign off to say all looks well, and the prices takes very little time. Some of this is automated: scripts collate and report information for signoff and we humans verify the result and take actions as needed (in some cases the action needed is to update the script(s)). This may seem wasteful, but a couple of people spending a couple of hours total per month on such checks can save some nasty surprises in future.
Domain status checks is one of the things that gets reviewed.
Not necessarily, most registrars will let you renew for a full year or more at any time. Buy both on the same day, set a reminder or open a ticket to renew only one domain in 3/6 mo.
Also, get a registrar with an API and use a script to figure out how long a domain is valid. Alarm through your monitoring system when you hit the too close for comfort time frame.
You can scrape whois as well but that seems fragile.
We had this same argument about certificate expiration on a code signing project I worked on.
I maintained that having to remember to renew a cert every September was more likely to stick with someone than 18 months or two years. It also keeps your blacklist smaller because dead ones age off faster.
I don’t recall how it ended up but we added automated reminders every 30 days starting three months before expiry.
10 years sounds a bit inflexible for me. Things can get a little weird if you switch registrars but you have more than 9 years left on your domain so you can't get a full additional year.
I do try to maintain a margin of at least 3 years on important personal and business domains, though.
Less than 37 months left = immediate attention required.
Probably late to this party but at my employer we have a contract with MarkMonitor under which domains are auto-renewed and then we are invoiced for the cost.
The advantage of this is that domain renewals are not broken by payment problems. Payment problems produce a failure state of "domain got renewed, the vendor is harassing us about an invoice"--which is much preferred to "domain did NOT get renewed, our site is down until we update our credit card." It also helps mitigate the "crucial employee departed" problem, since MarkMonitor won't just give up on an unpaid invoice... they will escalate if they don't get paid.
Of course as a matter of practice we always have multiple people with access to the dashboard, but if all those people got kidnapped at once, the domains would still renew.
I recognize that MarkMonitor is more expensive than Namecheap or GoDaddy or whoever, but I also bet that a lot of successful companies that are super reliant on their domains have never called for pricing. I don't work for a mega-corp; we're a nonprofit. And who knows, maybe other registrars may be willing to offer a similar payment structure.
(I'm not affiliated with MM in any way--just a happy customer.)
Personally, I'd rather have a corporate domain be renewed once per year and have a defined process for it (e.g. literally have a binder somewhere listing all the details, and put reviewing it on a checklist of other yearly legal and financial tasks) than have it be forgotten about for 10 years at a time.
I've set it up before to have 10y which is the max, and renew for 1 year every year. So the domain always has a lead time of 9-10 years but it is still renewed once a year for practice. for most domains thats like 100 bucks to lock it down for 10 years. You can also monitor the domain expiry in your monitoring system i.e. nagios or whatever you are using.
The problem with relying on auto-renew is that, sooner or later, your credit card will expire (or the employee who was in charge of the domain will be gone) and the renewal will fail. The account needs maintenance one way or another.
>> registering them for as long as possible
To clarify, you can register them for 100 years, not 10 years. Network Solutions offers the 100 year renewal.
While 100 years or even 10 isn't for everyone, I do still agree: register them for as long as feasible.
This is why -generally- there is a period after the domain expires in which it is locked and cannot be purchased by anyone other than the previous owner. Just in case someone tries to squat. There are a few registrars that do this. I've seen it (squatting) happen more to small businesses, because even if their site it showing the landing page they might not notice it until a month later and by then it has been released and squatted. Bigger companies with lots of traffic would usually get a notice from a customer or internal employee that the site is down. This is my experience at least.
Could you do an AMA once you get out of jail? I'd love to see how this all turns out for you. You seem to be the kind of person who just makes fantastic life decisions.
Yeah, corporate attorneys and the legal system at large have never dealt with extortionists with your creativity before. I mean, doing it anonymously AND with a ticking time bomb element, only a true master villain could have thought of such a brilliant scheme!
Do check with a criminal attorney before doing any such thing.
“It’s a nice domain you have here, be a shame if something happened to it” sounds cool in the movies, but in the real life it may be treated as extortion and land one in jail.
Domain name dispute resolution policies would find in the company's favor pretty much immediately (due to their trademark rights, and your registration with bad-faith intent), so they'd get it back reasonably quickly one way or the other. :P
To be fair, unless you're a big company I'm pretty confident this could work. I don't know what police entity I'd have to turn to here in Belgium to complain about someone in the US running off with my startup's domain name. You'd need serious lawyers to go after this.
I know everyone thinks police are going to investigate and that I’m definitely going to prison, but the sad reality is they probably won’t and I’d probably never see a jail cell. They might look into it, maybe even setup a sting operation, but then in the end nothing might come of it anyway.
Trust me, I know of a ex-cofounder in a previous who company who took off and disappeared with $175k from the company bank account, and despite our best efforts at getting justice or the money back, no one really gave a fuck, and there wasn’t much we could do unless we wanted to get into very expensive legal battles using money we didn’t have, against a person that was hard to get a hold of and with no guarantee of getting our money back, at least anytime soon (years). It was much more practical to just cut the losses and move on, making sure we could do everything to prevent it from happening again by someone else.
And the truth is this is how it is for a lot of things, the successful cases you hear of are really just a small percent of the crimes. Just don’t pick a fight with someone who has the money and determination to hunt you down to the bitter end. Most people eventually give up. Unless you’re killing people or running drugs, there’s a lot of criminal arbitrage you can get away with due to how slow and how apathetic the law is.
Though I sometimes do think about the price I would have to pay if there was a reckoning.
The Chickenshit Club (that is, federal prosecutors in the last ten years) means that big company management can get away with white collar crime, paying other peoples’ money to make charges go away.[1]
Workers or little people at big companies are still subject to prosecution for white collar crime. And apparently since criminal prosecutions are time consuming DOJ has decided to deprioritize them, so if you commit white collar crime for small dollar amounts you’re also likely to get away with it.
Just don’t pick a fight with someone who has the money and determination to hunt you down to the bitter end.
You're not making any sense. You started this entire thread by talking about how you'd hold this $billion+ company's domain ransom for tens of thousands of dollars per year, so your sad tale of woe about how you couldn't afford an attorney to chase down an embezzler is irrelevant.
These were very important domains. Without them, this $1 billion+ company immediately lost all of its ability to generate revenue. It was quite shocking.
The problem was discovered when users started getting the registrar’s landing pages rather than the company website pages. It was fixed relatively quickly once identified but do to DNS propagation took about 48 hours for complete resolution. During the window unrecoverable revenue well into the hundreds of thousands was lost.
It seems to me that a domain renewal is always a risk, even with a highly reliable registrar. A good defense is to limit the renewals for important domains by registering them for as long as possible (10 years). Even then you have a weak spot because your credit card will be expired by then so you should back that up with a calendar reminder a few months prior to renewal to make sure everything is set.