Remediation Guide 9 min read

How to Fix Domain Registration Risks

Use this page when the WHOIS / RDAP Lookup reports a near-term expiration, a missing transfer lock, an unexpected hold status, or an unsigned DNSSEC delegation.

Run WHOIS / RDAP Lookup

What This Means

Domain registration is the root of trust for everything attached to the domain. Losing it to expiry or hijacking takes the website, email, and certificates down at once. The protections are mostly registrar checkboxes; the fix is enabling them deliberately and confirming the registry reflects them.

SignalWhat to verifyWhy it matters
Near-term expirationRenewal date and auto-renew status at the registrarAn expired domain is dropped from DNS and can be re-registered by anyone.
No transfer lockclientTransferProhibited in the status flagsWithout it, a compromised registrar account can transfer the domain away.
Hold status presentclientHold or serverHold flagsHolds remove the domain from DNS and usually indicate billing, verification, or abuse issues.
DNSSEC unsignedWhether the registry has a DS record for the zoneUnsigned delegations leave DNS answers spoofable in transit.

Common Causes

Patterns worth checking first

  • Manual renewals: Renewal depends on a reminder email and a payment card that may have expired.
  • Default registrar settings: Transfer locks and DNSSEC are often opt-in and were never enabled.
  • Unverified contacts: ICANN verification emails or invoices went to a stale mailbox, triggering holds.

How To Confirm It Safely

Confirmation steps

  • Log in to the registrar and confirm the renewal date matches the RDAP result.
  • Check whether auto-renew is enabled and the payment method on file is current.
  • Review the domain status flags for locks and holds.
  • Confirm whether your DNS host supports DNSSEC signing for the zone.

Fix Workflow

  1. Renew and enable auto-renew. Extend any domain close to expiry and turn on auto-renew with a verified payment method.
  2. Enable the transfer lock. Turn on clientTransferProhibited for every production domain; request registry lock for high-value names.
  3. Resolve any holds. Contact the registrar to identify the cause of clientHold or serverHold and clear it.
  4. Enable DNSSEC and validate. Sign the zone at the DNS host, publish the DS record through the registrar, then re-run the lookup.

Implementation Examples

Healthy RDAP status flags
"status": [
  "client transfer prohibited",
  "client update prohibited",
  "client delete prohibited"
]
Verify DNSSEC delegation
dig +short DS example.com
# a DS record at the parent confirms the delegation is signed

Rollout Risks

Enabling DNSSEC incorrectly can take the domain offline

A DS record at the registry that does not match the zone signing keys makes validating resolvers reject every answer.

  • Sign the zone at the DNS host first, then publish the DS record.
  • When changing DNS providers, remove the DS record before migrating and re-add it after.
  • Verify resolution from a validating resolver immediately after enabling.
Registrar account security matters more than the flags

Every protection on this page can be disabled by whoever controls the registrar account.

  • Enable MFA on the registrar account.
  • Use a monitored, role-based account email rather than a personal mailbox.
  • Remove former employees and stale API keys from the account.

Validation Checklist

Post-fix validation

  • The expiration date is more than 90 days away or auto-renew is verified.
  • clientTransferProhibited appears in the RDAP status flags.
  • No hold status is present on the domain.
  • The WHOIS / RDAP Lookup reports the DNSSEC delegation as signed where enabled.

FAQ

What is the difference between a transfer lock and a registry lock?

The transfer lock is a self-service registrar flag; registry lock is a premium service with out-of-band verification.

  • Transfer lock blocks automated transfer attempts and is free.
  • Registry lock requires manual registry-level verification for changes, suited to high-value domains.
Does enabling DNSSEC risk breaking the site?

Only if the DS record and zone keys get out of sync, which proper sequencing avoids.

  • Most managed DNS providers automate signing and key rollover.
  • Always remove the DS record before changing DNS providers.

Ready to verify the registration?

Run the WHOIS / RDAP Lookup again after making registrar changes and confirm the registry reports the locks, renewal window, and DNSSEC status you expect.

Run WHOIS / RDAP LookupCreate Account For Broader Workflow