________________________________________________________________________________
I manage a portfolio of 1800+ domains for my employer.
When we migrated DNS to route53 in early 2019 we discussed moving registration as well. That conversation took about two minutes and ended in a hard no.
Our registrar is MarkMonitor who specializes in large portfolios.
I’ve got a dedicated account rep. We know each other well. We talk often, not just domains but college sports, etc.
I need something I email my guy and it gets done.
Registering a .es domain requires a scan of my drivers license. He handles that.
Transferring in .am domains during a recent merger required an authorization letter, on letterhead, signed by a corporate officer.
We don’t have any .at but I’d put 20 quatloos on there being some sort of requirement that AWS can’t just drop into a web interface, combined with the fact you don’t really have phone support until you qualify for Enterprise Support.
My primary role is near what you’d call Cloud Architect, domains and DNS are a side gig that ended up in my lap. Being disappointed in how AWS does something is sort of a theme in my life.
In this particular case however I’d bet the issue is with the AT registry wanting something.
The "corporate" answers in the support thread don't give any information, and the barrage of links to unhelpful and unrelated information make it seem like they're scripted and not really interested in their customers specific problem at all.
If AWS were to say what the problem was then people might be a bit happier to wait?
There must be some marketing handbook somewhere that says "When the customer asks if you have this model in blue, you must never say 'No.' Instead, always say 'We have it in red, green, orange, and seafoam violet.'"
Drives me nuts, but all companies do this rather than giving a direct answer.
It's not limited to marketing. Try asking a question along the lines of, "why does x do this?" The answer is frequently, "you shouldn't do x, you should do y." Clearly the question is asking for an explanation, but people will double down on how wrong the questioner is for even asking.
Golang in one comment.
All so true: "sync/atomic"
Hah, definitely. It's like everyone working on that tag is trying to read the question in a way to _not_ answer anything.
Sometimes people are asking for what they think they want because they don't know that theres a better way to solve their problem.
Also
> Sometimes people are asking for what they think they want
Except when they aren't, which is what I'm talking about. And you could say the same thing about the marketing speak.
If you ask a question on Stackoverflow, a lot of people will give you the answer they know, regardless of the question you asked.
If I ask "how do I do this with x?" The answer "Generally in this language we do it with y. Will that work?" is a proper answer
If I ask "why does x panic?" The answer isn't, "do y." The answer is an insight to the programming language/operating system in question, but people just can't resist, and it is exactly like the marketing speak mentioned here.
Assuming the person asking doesn't know what they're doing is
not the best approach if you actually want to solve problems.
I guess the advice starts out helpful: violet might be a good substitute for blue in certain situations.
...But saying "we have all these other things that you've already told us you're aware of" is where things start to get passive aggressive.
> Registering a .es domain requires a scan of my drivers license. He handles that.
Maybe it’s different inside the EU compared to outside of it, but I have a few .es domains and I didn’t have to provide a scan of any ID to reg them, I did have to provide the ID’s number.
Now it might be that the ID number might be more easily queryable between EU states removing the need of a scan compared to counties, I’ve never looked into it. But it’s still a piece of information MM can just hold on to and handle when required for you.
I’m just sharing my own experiences with .es tlds, one thing I will say having a 3rd party like MM monitoring and handling your .es domains is they are now responsible for renewing them, if you miss the emails about your domain expiring because auto-renew failed due to an expired card and you fail to renew in time there is little to no grace time compared to other tlds. That one almost bit me on the arse once :-(
.es or .at, piece of cake. Try .ax! ;-)
Oh dammit, they opened it up for everyone. Nothing is holy these days.
No, try .aq!
Quatloos... I got that reference! ;) Just watched that ST TOS episode some nights ago (for the first time).
Always register your domain with a different provider.
A domain is one of the crown jewels of a company.
If you lose the domain, you lose everything (email, web, services, etc.), possibly permanently, with no option to migrate without losing your domain, branding, SEO position, etc.
e.g.
The consequences are not quite so dramatically irrevocable. I’ve recently assisted a family member whose hosting provider was bought by a gang of unscrupulous clowns and their domains effectively held to ransom. It took only hours to recover them and switch registrars, during which time I’d used/activated only the same channels and processes available to any other registrant. And AWS are not a gang of pirates.
Someone less directly versed in the intricacies of registries and registrars and service providers might take longer to assert rights, deploy governance machinery, and achieve the same result, but the existential finality described above would be better painted as a time-consuming and Byzantine inconvenience.
I read domain registration horror stories with a pinch of salt. Not just because the sector is (like cryptocurrencies) riddled with scammers and shysters and liars and con-artists, but also because even the most Kafkesque fuckups I’ve seen ultimately started with incompetence, inexperience, arrogance, or negligence (usually omitted in the telling) on the part of the apparent victim.
Can you share a resource to learn more about the recovery process?
Also worth using a premium domain service like CSC -- if there is an issue you have a 24/7 contact and for overseas domains they usually have local agents who can hold the domain if rules change that would ordinarily disqualify you from holding that ccTLD
Yes I agree, you can always do that and set Route53 as your dns for some specific AWS functionality. For instance static site hosting on a S3 bucket on your main domain (not www) isn't possible without having your domain in route53.
Bigger threat of losing domains is not paying for them.
When AWS initially started offering domain registrations, I transferred a few domains (that I'd already been using Route 53 for) over to keep everything in one place.
A few months later, I wanted to transfer them elsewhere, but quickly realized that the auth codes in the AWS interface had expired, with no way to renew them. I didn't have a support subscription since I only used the AWS account for these 4 domains + Route 53 and I wasn't about to pay Amazon 30$/month to get them to fix their own mistakes.
I naïvely tried contacting billing support (the only one you can contact for free, go figure) in the hope they could forward the bug report, but while they were very apologetic, there was nothing they could do.
So Amazon took my domains hostage for 6 months until they eventually figured out the bug on their own. Have not touched anything related to AWS ever since.
Route53 seem to have some weird gaps. For instance .nz (New Zealand) originally only allowed people to register 3rd level domains ( like company.co.nz or network.net.nz ).
This changed in 2015 and you can now register 2lds like company.nz or network.nz but AWS still hasn't updated their system. It means my employer has to have a 2nd registrar just for those domains. Nagging our TAM and asking other companies to do the same has had no effect.
Note that AWS use Ghandi.net for .nz registration (and many/most other TLS) and Ghandi _do_ support .nz 2lds
Is that really a big deal though? Register the domain, point the name servers, job done for 5 years.
It isn't just one domain. Big companies can have hundreds or thousands. Having a few percent of these with another vendor means you have to have additional bills (and get those through accounts), logins and the like.
Probably a good idea to keep one service for DNS records and domain hosting, a service that specializes in just that, instead of trying to use one service for everything (like what AWS does). If you try to shoehorn everything into a "all-in-one" solution you often end up with poor solutions overall just to fit it, while if you pick one solution per problem, you end up with the best fit. See also: Unix Philosophy
Route53 also has deeper integrations into Amazon therefore you can 'tag' services in that might change IP (via Elastic IP for example).
You could do that with CNAME or ALIAS between the DNS providers but it'd get messy. Otherwise if you rotate an IP then you'll have to manually update the other DNS or write your own glue, or hand over delegation for certain namespaces in the domain in a frankenstein fashion. See also: Keeping sanity whilst maintaining hundreds of moving parts
Domain registrar and DNS provider are 2 separate things. If I understood the linked article correctly you can not register a domain through Amazon. That doesn't mean you can not use Amazon as a DNS for that domain.
Agreed, in principle and in practice. For my own stuff, I've been happy with IWantMyName and DNSMadeEasy for registry + DNS per se, leaving me free to experiment with deploying to various providers (AWS, Digital Ocean, Vercel, Netlify...) without a hitch.
Big companies with that number of domains tend to use a 3rd party services such as MarkMonitor to manage this.
Now you have to remember to re register the domain in 5 years _on a different registrar._
Even large organizations struggle to do this with just one.
Gandi
Anyone have some insights on what a registrar usually needs to do to add a country's TLD? Sounds like it might be the kind of problem that's simple on paper but in practice requires jumping through all kinds of regulatory hoops for each new country. It does seem to be pretty common for registrars to be missing ccTLDs - .ai (for Anguilla), for example, is not supported by some registrars even though it's popular and at a glance it's just another ccTLD like the more widely supported .de or .ca.
OpenSRS has a list of TLD policies
https://help.opensrs.com/hc/en-us/sections/115001583368-TLD-...
and on that page there is a link (via a documentation page) to their TLD reference chart. It's amazing in a fairly horrible way, like a _"Falshoods Domain Registrants Believe About TLDs"_
I'm in the industry, and there's no regulation or standardization on ccTLDs. Some of them have customized one-off web portals that an employee of the registrar has to log in to to manually register a domain. It's totally understandable why many registrars don't (yet?) support all ccTLDs. Contrast with gTLDs, which ICANN requires the use of standardized protocols for (see RFCs 5730-5734). Offering gTLDs is _much_ easier; more work can be involved in signing the contracts with the registry operator than in configuring your system to point to an additional standardized API endpoint.
> Anyone have some insights on what a registrar usually needs to do to add a country's TLD?
ccTLDs are the Wild West. It's hard to generalize -- practically every ccTLD does _something_ weird that makes it difficult to support, though.
A few examples of areas where ccTLDs behave significantly differently from gTLDs are:
• Many ccTLDs require registrants to have some form of personal or business presence in the country. The requirements for how the registrant must prove that presence can vary.
• Some ccTLDs have unusual processes surrounding domain expirations and renewals. For example, under some ccTLDs, domains always expire at the end of a month, rather than exactly a year after registration. Additionally, some ccTLDs restrict when domains can be renewed -- for example, .au domains can only be renewed within 90 days of their expiration, and .eu domains cannot be renewed within 5 days of expiration.
• Domain transfers can get weird as well. gTLDs have a standardized process for domain transfer authorization; ccTLDs often modify this system or replace it entirely.
Each country has its own regulatory requirements. When I tried to register a dot-ai ~15 years ago it seemed like one guy who did it once a week would take paper checks only.
If Austria demands a valid Austrian ID number, Amazon would have to build an app to request this, validate it against the Austrian database, provide data security guarantees to the Austrian government for using this information, etc. If the barriers are higher than the demand Amazon will just say fuck it.
I've registered .at domains on gandi.net and there's no ID requirements. It's no more difficult than registering a .com or .co.uk domain name.
On the other hand, .com.au for example requires a valid Australian business registration number for domain registration.
Summary (for those not logged into AWS)
Original Request from Feb 22, 2017. AWS person says it has been added as a feature request but no ETA. Occasional updates since then with people requesting and AWS saying "No ETA".
The reason we're not using AWS is because we couldn't switch our entire network of a few thousand .at domains over here easily. It would have meant months of work. So we went with a competitor.
@AWS my 5cents: adding many more TLDs is one of the highest ROI investments you can make.
Is domain registration a big part of your hosting world? Surely anyone can register a domain with anyone and point DNS?
Registrars generally have terrible APIs for managing DNS delegations and ownership details. There are also good reasons to be able to manage DNS zone contents, delegations, and ownership through a single coherent set of APIs.
First thing in I do when I register a domain is point its DNS to Digital Ocean nameservers (some registrars even offer this in the signup process - no login or further setup required). That way all my domains are managed under one account irrespective of where they were purchased. They offer every DNS setting you would ever need (unlike some registrars) and their propagation is always super fast. Their API is top notch. The best thing is it's a free service, and the only service of theirs I use. No need for their cloud services. Just amazing DNS.
It sounds like you are talking about a zone contents API, and I agree that it's important to have a good one. But it's also important to have a good API for managing a domain's delegation and ownership information, so that you can ensure all your domains are managed consistently. Just pointing the DNS for a domain at a good DNS provider doesn't help with managing its delegation if the registrar is crappy.
if your business involves registering a high volume of a specific domain then yes, help with managing those would be vital, but most people registering domain names are web developers registering on behalf of clients
This doesn’t make sense. Domain registration is different than DNS. Many would argue keeping your domain registration separate is probably a good thing. Sounds like your problem was with the registrar (making it hard to update NS records to Route53 or anyone else) not AWS.
I want it has to do with .at's automatic renewals?
https://help.opensrs.com/hc/en-us/articles/203858976--AT-Dom...
_> .AT domains renew automatically. A domain must be cancelled 3 days before the expiry date to avoid renewal. ... If the reseller cannot reach the registrant, or if the registrant refuses to pay, refuses to sign the form, or claims not to have heard of the reseller, a Domain Withdrawal can be processed. To process this withdrawal, the reseller will have to contact OpenSRS support. They can state "I can not reach the registrant, please give the domain back to the registry". Once OpenSRS support processes the withdrawal the registry will no longer point the domain at OpenSRS. The registry will take over and contact the registrant. If the registrant is still unresponsive, the domain is deleted by the registry._
Namecheap also doesn't have them, I always have to buy them through
Separation of concerns is of the utmost importance in my experience.
Domains, DNS, App/Web Hosting, Email (Domain and Transactional), File Storage, Version Control, Backups, Secrets Storage, Directory Services, Zero-Trust/VPN, etc. should be on different providers (or different accounts if an overlapping provider), whether the services are third-party or self-hosted or a mixture of both.
Isn't that just maximising points of failure? I completely agree with the idea of keeping the domain registration separate as an ultima ratio recovery option, maybe opt for a third party when shopping for a second site backup and obviously an independent provider for your status page (which is also where you could bootstrap emergency communications if need arises), but everything else would just be more downtime reasons.
Would this service still provide value if all the others were down? Would all the others still provide value of this was down? If both answers are yes, separate, if both are no, don't, if the answers differ go with the flow.
Why is this relevant? Is there an advantage from getting your domain directly from AWS? At the companies I've worked at, we've always used Route 53 with domains we've bought elsewhere, so maybe I'm missing something. Perhaps there are things you can do if you get the domain from AWS, that you couldn't do otherwise?
Some of the registrars are pretty picky about their rules.
I have a .es (Spanish) domain, and it wasn't until quite recently that they stopped asking you to include your passport number or SSN in the WHOIS entry.
A number of registrars wouldn't let you buy the domain without residence in Spain either... Ended up going with a horrible registrar, and I transferred to Namecheap the moment they supported .es domains.
https://aws.amazon.com/route53/domain-registration-agreement...
states that they use gandi.net and domainbox.com as
registrars, both support .at.
So i guess they just forgot about it.
Would welcome a better explanation though.
Interesting, also there's no specific requirements for .at like requiring local residency or any kind of documentation requirements so it should be a straightforward implementation for CF as a reseller to those registrars.
How much does it cost to become a registrar of .at domains?
There's definitely a fair bit of overhead for becoming a registrar of all gTLDs and ccTLDs (there is generally a different application needed for each ccTLD), and for smaller countries the overhead might not justify the number of registrations they expect to get.
I had a quick look at Cloudflare's offerings and it looks like they're only offering gTLDs but intend to expand their ccTLD list.
Minimum monthly sales of 180EUR and an unspecified fee
https://www.nic.at/en/how-at-works/registrar#id143
The complete list of TLDs that you can register with Amazon Route53 is at
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/re...
.
You can always manage any domain with Route53, but registrations are only supported for these TLDs.
Last time I checked they do not support Switzerland. TLD is .ch. Fun fact: they are opening a AWS region in Switzerland.
We have lots of .ch Domains there. It's definitely possible since months...
I was able to transfer a CH domain into AWS
Cirrect me if I wrong, but wasn't AWS just registering most of the domains via Gandi? At least before they only used their own registry for few most popular TLDs.
It’s pretty simple. Aws doesn’t have a registry agreement with the registry that handles .at domains.