I fucked up..

How I lost my domain and everything that goes with it like my mail server etc..

Written by: Kevin Grahl | Published: Wed, March 6th 2019 » 5min - 1.129 words

Yesterday was a perfectly normal day. I had a coffee in my hand and had just finished eating a bite. I was playing around with some part of my newly designed website when suddenly I received a notification from my uptime service telling me that my website was down. I switched from Sublime Text 3 over to my browser and hit refresh and they weren't lying, it really was down. Allright, no need to panic, I got this. I was still logged in via ssh and could still save the html file I was just editing, so my server didn't seem to be the problem. Weird. Chrome was telling me that "kevingrahl.de’s server IP address could not be found."

Chrome Screenshot: This site can't be reached. kevingrahl.de's server IP address could not be found. DNS_PROBE_FINISHED_NXDOMAINScreenshot Google Chrome

Allright so let's check if everythings ok with my domain, I thought and headed over to Namecheap. Well shit. My domain kevingrahl.de, which I've used for years had just expired. I don't want to shift the blame to Namecheap, because clearly it was my fault not renewing the domain in time, but why the fuck didn't they send me some sort of reminder that my domain was about to expire? Domains with the country TLD .de (Germany) have some quirks: They can not be renewed later than 5 days before expiry. After that the domains enters what is called the "Redemption Grace Period" mandated by DENIC.

Redemption Grace Period for .de Domains

A cooling-off phase (called Redemption Grace Period – RGP) after deletion has been established for second-level domain names in the .de name space. This service protects domain holders against an unintentional loss of their domain(s) by accidental deletion.

What is the Redemption Grace Period?

If the registration of a .de domain is terminated, the deletion of the domain is followed by a 30-day cooling-off phase, the so-called Redemption Grace Period (abbreviated RGP). During the RGP, the deleted domain can only be re-registered for the last domain holder or for a third party named by the last domain holder. There is no charge for a Domain being in the RGP.

Source

That doesn't sound to bad, eh? No charge for such a service that is intended to protect me from exactly what happened to me? I should be happy. But I'm not. You see while there's no charge for domains that end up in the RGP they do charge you if you actually want to use that domain again. DENIC explains this further down on their article about the RGP:

The re-registration of a domain name which is in the grace period for its last holder is associated with costs for the provider (registrar) acting on behalf of the holder. The domain holder must expect these costs to be passed on to them.

Namecheap seems to think that ~$210 (~€185) is a fair price for this. I do not. Would I register a new .de domain today via Namecheap it would cost me €6.07 (Renews at €9.60/yr). I could understand if it were 100-200% more than what they're asking for renewals. But from €9.6 to €185 is an increase of 1827% or 19.27 times more. To me that's usury. There is no way this price can be justified. They seem to prey on people who accidently lost their domain and need it back. Please note that I do not know if Namecheap or DENIC is responsible for setting this price.

Now I (hopefully only temporary) have lost control over my domain. My website is down. My mail server is run on that domain so I can no longer receive any mails either.

Thankfully there is a way out of this mess without paying €185. I have to warn everyone reading this who's got a similar problem that this solution requires some luck and does not guarantee that you will get your domain back! Further down on DENIC's site they inform you that:

DENIC may deviate from the 30-day cooling-off phase for a domain in RGP, if the last domain holder waives the Redemption Grace Period by an explicit written declaration to DENIC.

What this means is I can send a letter to DENIC with some form of validation (I expect a copy of my government issued ID should do it) and then they prematurely end the otherwise 30 day RGP. I, and here's the catch, everyone else can register my domain immediatly after DENIC releases it. Here's to hoping I can register my domain again before anyone else will. However this will end it's sure to be a success!

“Success is stumbling from failure to failure with no loss of enthusiasm.”

― Winston S. Churchill

In the event that a third party gains ownership over my domain I'll have to buy a new one. It'll be a pain in the ass to recover all my accounts that use @kevingrahl.de email addresses but at least I dramatically reduced the chance of account takeovers by using a unique address for nearly every service. Should someone be in control of my domain kevingrahl.de they'd still need to know which email address I used for which service in order to reset the password. Those email addresses are not guessable. And of course the more secure accounts all have 2FA enabled.

I'd like to mention the completely uncapable Namecheap support agent who when asked if I could register my domain again if DENIC releases it early from RGP told me that he was "not authorized to assist me on this matter" and that I should "please contact DENIC" instead. WTF Namecheap?

In the meantime

Since only my domain is affected but my server is still fine I can use the domain tenebris.uber.space in the meantime. All parts of my website are static and generated by hand and there were a few instances where I linked sites or ressources with links containing my domain. I had to edit those out and replace them with relative links to make it work with this domain. I can't be sure I got everything so if you see some site where for instance there doesn't seem to be any styling of the page or images are missing please let me know.

Speaking about letting me know; I will not get any emails to all my addresses @kevingrahl.de until I have my domain back!

You can contact me via temp-h3pc38i3gi@kevingrahl.de

What you can learn from this

  1. Don't be stupid and forget to renew your domain
  2. Perhaps make a reminder and renew it a few months before it expires
  3. Maybe don't use links using a domain name on your website's internal links
  4. If you run your own mail servers: Have a backup ready in case something fails

Update

As of today, the 12th of April 2019 I'm back in control of my beloved domain kevingrahl.de!

Here's what happened; After I requested DENIC to lift the RGP early some foreign reseller snatched my domain nearly immediatly. I was expecting that and was prepared to challenge their claim to the domain. There's this thing called "Namensrecht" (Naming rights) that basically gives me priority rights because my name is Kevin Grahl. Unless the resellers name was also Kevin Grahl it should have been relatively easy to get back my domain. But it didn't come to this. Instead the reseller nearly immediatly deleted the domain on 12. March 2019. This wasn't good news though as it meant the domain entered the RGP again and this time I wasnt the last owner so I had no chance but to wait 30 days for the RGP to take it's course. Oh, well..

In the meantime I had a lovely chat with some lady from DENIC who told me that I could've just transfered the domain via the Auth Info 2 system to some other registry for around 15€.. Duh.. The DENIC representative was also shocked to learn that Namecheap wanted nearly 200€ to restore my Domain from the RGP. I asked Namecheap for a comment on this which they denied. In their FAQ however Namecheap states that their upstream registrar Enom is responsible for this price. To prevent this fom happening again I paid my domain for the next five years in advance so I should be good until 2024.

Comments

I submitted this article to HackerNews where some people commented on it.

Footnotes

  1. Sublime Text 3 is "a sophisticated text editor for code, markup and prose" and it's one of my favorite pieces of software. I use it daily and think it's well worth it to buy a license but it even works without one (nagware style) ↩︎
  2. Namecheap is my registrar. I'm very open about suggestions on decent registrars. ↩︎
  3. DENIC eG is the manager of the.de domain, the country-code top-level domain for Germany. ↩︎
  4. I was told by StuntPope on HN: "It should be pointed out and understood that when a domain enters Redemption period, in every TLD, the inflated cost to redeem it is imposed by the registry itself, not the registrar. So the point where the normal cost is $6.95 but it cost over $100 or $200 is not because the registrar is gouging you, but because the registry is charging the registrar minimum $100 or so, and then the registrar would also apply their own markup, which is pretty standard." ↩︎
  5. I was told by wbrasky on HN that 'usury' might not be the correct term here. I intended it to mean the same as the German word "Wucher": "Wucher bezeichnet das Angebot einer Leistung zu einer deutlich überhöhten Gegenleistung unter Ausnutzung einer Schwächesituation eines Vertragspartners." Loose translation: Usury is offering a service at an excessive rate if you're exploiting the weaker position of someone. ↩︎
  6. Obviously I found a workaround using my hosters URL tenebris.uber.space as a workaround. BTW; shoutout to Uberspace, they are awesome all around. ↩︎
  7. You can contact me via kevingrahl@protonmail.ch ↩︎