‘RegistryLock’ is a security feature implemented by Registry to help registrants mitigate the risk of ‘domain name hijacking’.
When a registrant registers a domain name, the registrant needs to provide important information known as ‘Domain Name System (DNS) nameservers’ (e.g. ns1.example.com and ns2.example.com). The ‘DNS nameservers’ are computers that contain important technical information (also known as ‘DNS resource records’ e.g. ‘A’ for IP address or ‘MX’ for mail exchanger server) to redirect users to the registrant’s website, email server, etc. The correct values of the ‘DNS nameservers’ are sent to P.A Vietnam via the registrant’s appointed domain name registrar (as instructed by the registrant).
If a hacker can modify the values of the ‘DNS nameservers’ to other ‘DNS nameservers’ that he/she controls, the hacker is said to have ‘hijacked’ the domain name. He/she can redirect the registrant’s website and emails to computers of his/her choice.
A domain name may be hijacked if a hacker is able to modify the ‘DNS nameserver’ information through the registrant’s appointed registrar. This can occur in a number of ways such as:
(i) the hacker had access to the registrant’s username/password that the registrant used to transact (i.e. update nameservers) with the appointed domain name provider (e.g. registrar or reseller of the registrar); or
(ii) the hacker managed to trick the appointed registrar into believing that he/she represents the registrant (e.g. through social engineering); or
(iii) the hacker managed to infiltrate the appointed domain name providers’ backend system to submit nameserver modifications.
The damage caused by domain name hijacking depends on the actions of the hacker and the value of the registrant’s website, emails and other services that depend on the domain name. For example, if a hacker redirects the website to a page that simply shows that he/she can successfully deface your website, the registrant may suffer only reputational damage. If the registrant depends heavily on the website for e-commerce activities, such activities may be disrupted and the registrant may suffer economic losses. The hacker may also trick users into believing that the services (e.g. website, emails, remote-login/ftp, etc.) are legitimate and when users transact with such services, sensitive information may be leaked to the hacker.
RegistryLock would be most beneficial for registrants whom heavily promote its own websites for online presence and branding and, especially websites that engage in e-commerce activities. Registrants should assess the risks and consequences resulting from domain name hijacking, weigh them against the cost (if any) and extra processes involved in locking and unlocking domain names before deciding if they wish to enable RegistryLock on their domain names. On P.A Vietnam’s part, to keep the entry barriers to a minimum, we are providing the locking/unlocking process at no cost and we have designed the processes to be as hassle-free as possible.
Modifications (submitted by the appointed registrar) that alter the ‘DNS nameserver’ information (specifically ‘DNS nameserver hostnames’ and ‘Child-host’ DNS IP ‘glue record’) and DNSSEC information (i.e. DS records) will be rejected by P.A Vietnam if a domain name has been enabled with RegistryLock. The registrant needs to ask his/her administrative contact to login to P.A Vietnam’s portal to temporarily unlock the domain name before informing his/her domain name provider (e.g. appointed registrar or reseller of registrar) to perform such modifications.
This means that unless the administrative contact has explicitly unlocked the domain name, a hacker will not be successful in hijacking the domain name even if he gained access to the registrant’s login credentials to modify domain name information or gained access to the registrar’s backend system.
On the other hand, registrants need to note that in order to successfully perform modifications, there might be extra processes involving multiple parties (i.e. administrative contact and registrar) and each party might have different operating hours). This may cause inconveniences when the registrant needs to update nameservers or DS records urgently. However not every registrant will face such inconveniences. For example, if the administrative contact is also the authorised person to login to registrar’s webportal to update nameservers in real-time, the administrative contact would be able to orchestrate the unlocking, update and relocking smoothly. Before deciding on enabling RegistryLock, registrants are advised to look into the current processes of how the registrar supports nameserver updates and DS record updates.
Anyone can perform a WHOIS search via http://www.pavietnam.vn on the domain name. Domain names that are locked will have a “Server” status, while a domain name without RegistryLock enabled will not show this status. (sample screenshot)
If a domain name is temporarily unlocked, WHOIS will not have a “Server” status.
The illustrational domain has been actived the Registry Lock service:
The illustrational domain hasn't been actived the Registry Lock service:
No, the system only supports locking and unlocking on a per domain name basis.
It is like you buy HDD price 2 milion dong but when doing security safety data on HDD, the amount would cost many more than 2 million.
Similarly, buying domain price 700k or 280k but when lost control, more damage will be many times this figure.