The root cause here is that some stuff didn't get handed over properly in the switch from Ryan to me as Node.js manager. So, the emails were indeed going to a non-functioning inbox.
It's resolved now, and we're setting it up to auto-renew so that this doesn't happen again.
It's kind of amazing how much certain data (in this case, a record in DNS) comes to mean to people. And how much we come to rely on that little bit of data. And really, how much we trust the DNS system and it's maintainers. "Ruling the world" might be difficult, but "ruling the internet" appears to be a matter of controlling DNS and then mimicking well-known sites well enough to install arbitrary software on every PC and device on the planet via a nefarious auto-update. It's the ultimate MITM attack. Even better if you can take over the DNS system for a short period, get a few million installs, then put the system back.
tl;dr: He who controls the DNS, controls the universe.
Auto renew of course assumes that the credit card on file is current. If the email address is wrong and the cc doesn't work auto-renew obviously will fail. As anyone who has to charge credit cards on a repeat basis might tell you, cc's fail fairly frequently.
Since the domain (any domain) is important it's critical that someone manually also keeps track of the expiration date. And by the way if anyone thinks the answer to this is to renew for the max time period that opens up all sorts of problems in the future when the domain expires and people who were in charge years ago no longer exist and any current people aren't even aware that the domain needs to be renewed. This happens which is why there is an entire part of the domain business catering to what is known as "drop catching" deleted domain names and selling them back to the owners.
There is a lot of self-righteous dickishness and schadenfraude in these responses. Proclaiming there to be "NO excuse" to someone who has worked their ass off to create a stellar open-source project really says more about yourself than the person you are attacking.
Most certainly there is some sort of explanation, and whether or not it was a terrible mistake, being a jerk about it doesn't relieve you from the terrible mistakes you've made in your past - we all have them. And in the end, this is really not a big deal.
I don't know about the worst in everyone :). Lots of people still manage to hold their temper. I've certainly gotten snippy here before.
I still come here for great commentary on complex topics, but usually resist the urge to look at comments on gotcha articles like this where I know there is probably nothing constructive to say, so the trollishness comes out.
I know people make mistakes and overlook things, but really...there is no excuse for this. I get about 8 emails from my registrars warning me before a domain expires...60 days, 45 days, 30 days, 1 week, then one like every day until the date. Unless these emails are going to an address nobody is monitoring I can't see how this can get overlooked.
If an email was sent to a mailbox that wasn't being checked, it doesn't matter how many emails were sent. I don't know if it's the case, just guessing as one possibility.
That's exactly true. Emails bounce and the person who is in charge of the domain often changes jobs and the contact isn't changed. Some go straight to the spam bin.
But you'd be surprised at how many people ignore even postal notices that some registrars send.
What you have to keep in mind is that restoring domains that have expired is a profit center for registrars. [1]
And having incorrect email contact info helps as well since not only does it favor that profit center but it also prevents competitors from soliciting your accounts (as well as preventing spam, right?)
[1] In the case of the nodejs.org domain it was taken offline on the day of expiration. It wasn't deleted it didn't go into redemption. Generally most registrars give some grace period (but if you aren't getting the emails that doesn't really matter, does it?)
There is a new policy being floated by ICANN that addresses these issues. If I can find the link I will post.
Homebrew, rbenv, rvm, to name a few. Never understood it either. If you could get ahold of a domain write a malicious script at /some-script.sh, you could do a lot of damage.
I agree that it feels insecure, but is there really a difference between this and downloading and running files from a .tar.gz or installing a .deb for example?
This is an important part of why Debian and its derivatives are superior to OS X for web development. If you like Mac hardware like I do, at least run a Linux distro as a virtual machine and save yourself the trouble of Homebrew or its contemporaries.
A published hash sum on its own only protects against non-malicious errors in the download. This is of limited use, since even regular HTTP is verified with a 16 bit CRC checksum.
Distributing a hash check over HTTPS would offer some protection against man in the middle style attacks, to the extent that TLS protects against man in the middle attacks, but accomplishes nothing if the server has been compromised.
Distributing a signature of the download gives stronger protection, because the private key can be kept offline and encrypted except when in use. Breaking into a server and overwriting a few files is easier than breaking into someone's laptop in the brief moment where they unlock their keypair to sign a release.
Where are you seeing $80 for 10 years (not doubting just curious).
$80 is below the cost that the registrar pays (for .com) to the registry and ICANN variable fees. Not to mention the cost for credit card processing as a variable fee.
Consequently in order to charge that amount the registrar has to make money in other places (could be to charge for things that are free elsewhere as one example).
As clarified by others, I missed the reference to the album because I never really listened to Van Halen and I apologise for my harshness. But we are on the same boat.
No one can truly know the mind of another human being, but I'm pretty sure Carson Gross is sick of the term as well.
I do agree with you that sincere language is more likely than sarcastic derision to turn the tide, but you should know that you guys are on the same side.
There are some problems with allowing that though. In some cases a clueless CSR could allow the person paying for the domain to gain access to it. The assumption is wrongly made that if the person is paying for the domain they have rights to it. After paying they will simply say something like "oh, by the way my address needs to be changed" or open a conversation about something else and end up gaining access.
Registrant Name:Ryan Dahl
Registrant Organization:Joyent
Registrant Street1:345 California St Suite 2000
Registrant City:San Francisco
Registrant State/Province:CA
Registrant Postal Code:94104
Registrant Country:US
Registrant Email:ryan@joyent.com
With the email "ryan@joyent.com", it doesn't seem likely that it's an unmonitored email address that would have missed the registration, unless it was seen as spam / junk mail.
Shouldn't be anything to worry about - here’s how the domain expiry process works.
1. Domain ‘expires’, and enters a 40 day grace period. I have read things that imply this can vary from registrar to registrar, but it seems pretty standard from what I have seen.
2. After the grace period, it enters a 30 day redemption period. Again, apparently this can vary, but I have yet to see it (admittedly I have only looked at a small number of domains)
3. Finally, when the redemption period expires, a 5 day ‘pending deletion’ period is entered.
Between 11am and 2pm Pacific Time on the 6th day of pending deletion, the registrars theoretically start dropping the names from the ICANN database.
It is kind of odd that such a domain would only be renewed annually... it's hardly speculative!
Grace period (as you have pointed out somewhat) varies by registrar. The basis for what you are saying is how long a registrar has to delete the domain before they can get their money refunded. That time period is 45 days. So on the expiration date the registrar is automatically charged for the renewal. If they delete on day 45 (by a certain time depending on when registered) they will have their fee refunded. Consequently they can give a grace period if they want of up to 45 days but from a practical standpoint it's tricky to wait until the last minute before deleting (if you have a system problem on day 44 that prevents you from deleting 2000 names you're stuck with them).
After they delete the domain (which can theoretically be anytime and keep in mind that "delete" is different than "take off line" "change ownership" etc.) it goes into redemption.
It is in redemption for 30 days during which only the sponsoring registrar can submit the necessary report to get the domain back. With .com .net .org .info the cost for the registrar to get the name out of redemption is $40 plus the renewal fee.
Once 30 days have past it is in pending delete and goes into a 5 day black hole where nothing happens and not even the sponsoring registrar can get it back. After that 5 day period it's released and anyone can grab it, first come first serve.
nodejs.org as I pointed out elsewhere was simply taken offline. It wasn't "deleted" in the sense that it goes into redemption. From the registrars point of view this makes sense since it allows them (if they want) to charge a fee to restore the domain w/o having to incur any extra ($40) costs.
"the registrars theoretically start dropping the names"
The time the domains drop is not controlled by registrars. It's controlled by the registries. The registrars only control (in addition to other things pointed out) when the domain goes offline or gets "deleted" and enters redemption.
" it enters a 30 day redemption period. Again, apparently this can vary"
"here’s how the domain expiry process works." (might have been better to say "here's how I think").
"Domain ‘expires’, and enters a 40 day grace period" although you qualified this saying it like that gives people the wrong impression of your actual knowledge in this area.
"After the grace period, it enters a 30 day redemption period. Again, apparently this can vary, but I have yet to see it "
You say "it enters" (like a fact) but then say "it can vary, but I haven't seen it yet".
My point isn't to give you a hard time but on HN crowd tends to jump on anything incorrect and it's clear from your summary that you don't have much experience in this area. I've made mistakes when I've said things on HN that I haven't doubled checked or don't know very well. (It's possible of course to even make mistakes on things you know well!)
What you say is correct. I'll chip in a bit on "registrar to registrar". In case of Namecheap,renewing a expired domain is just like renewing a regular domain. While other registrars charge re-activation fee, Namecheap has no additional fees. So, Ryan can just renew the domain instantly whenever this comes into his attention.
In this particular case namecheap is merely a reseller for enom.
Important to point out here that namecheap which is much touted on HN as being so great to deal with is the organization that made the decision to take this domain offline - not enom.com the registrar.
When people fail to respond to expiration notices, taking the domain offline on the expiration date seems like a good way to bring it to their attention.
Off the top I wonder if an idea might be to do the following, keeping in mind that the registrar would charge extra but ultimately it would be to the registrants benefit and less disruptive if the normal ways (that have no cost) were interupted:
- Send postal notice (some do this already)
- Send express or certified letter (charging up front to be notified this way)
- Make phone call
- Send email to any contact addresses on the website
I would like to point out also that this is a reason also why "privacy" on whois is a bad idea in some cases. In this case it is fairly easy for a third party to get in touch with the joyent contact (someone might know him or have an alternative means of contacting him - even by phone if not the whois phone number). If contact info is protected by privacy that becomes a different issue (you would have to have more specific knowledge).
Nope, Namecheap doesn't practice the shady conditions practiced by other registrars. The expired domian can be renewed just like a regular domain. No extra fees and fuss involved.
Usually there's a grace period where the owner can still renew it, and before anyone else can. If the domain actually expired 60 or 90 days ago then they're probably hosed.
Yes you are correct about that... It happened to me once on an old domain and I was able to get it back in the following week after expiration but I don't recall seeing a parked page during that period of time.
Doing a quick Whois for nodejs.org show that the name is expiring today:
eNom does all kinds of shady shenanigans with domain renewals. There are stories of names going up on their auction block the moment the registration expires (meaning someone has to pay a greatly inflated amount of cash to reclaim the name)
Unlikely. As much as enom sucks I don't think one could misconstrue any of their ineptitude as evil. They do however have the redemption period at inflated prices, but I've never heard of them moving an expired domain to immediate auction.
None of those reference enom directly -- only resellers of enom. That's like saying I bought a widget off amazon & chase paymentech is fraudulent as a result.
How does this keep happening to people? No registrar I know has a default of "don't renew", and they send your reminders. Why not just buy the doman for 10 years, or set autorenew, or ... seriously. There is NO excuse for this.
The root cause here is that some stuff didn't get handed over properly in the switch from Ryan to me as Node.js manager. So, the emails were indeed going to a non-functioning inbox.
It's resolved now, and we're setting it up to auto-renew so that this doesn't happen again.