Request transfer code directly from CIRA (2 Viewing)

Thanks Richard, Some registrars still want us to e-mail them to get the authorization code. No more headaches.
 
Thankfully I have private email for domains or I can see this contributing to a lot of spam.
 
Thankfully I have private email for domains or I can see this contributing to a lot of spam.
I don't think it will lead to spam because you must know the email/domain combination for it to work. Any invalid pairing will simply not send an email. And, as you know, CIRA does not publish individual data in WHOIS so in theory, the only people that should know the correct pairing is the rant or admin contact.
 
GoDaddy has issues too. When I bought a bunch of domains this year in a private transaction, they pushed the domains to me and GoDaddy then refused to give me the Auth Code for 60 days even though the domains were not locked. It was this stupid argument where I eventually got to a support supervisor and he said the domains are locked, i said look at whois and you can see they are not locked. He refused to acknowledge that the domains were not actually locked. I then tried saying, if the domains are really locked, then sending me my auth codes is harmless because if the domains are locked, the auth codes won’t work, right? He again refused to acknowledge that my logic was correct and I had no choice but to wait. Basically GoDaddy is enforcing their own policies, not those of individual registries.
 
Excellent news and a nice surprise I didn't see coming.

Thanks @richard.schreier, and please thank your team too. Very simple and clean. Great work.

I assume these transfer codes don't expire, but I have to wonder since some codes do expire at certain registrars (and don't at others). For example, they don't expire at GoDaddy but Rebel says they expire in 10 days. I'm not sure about WHC and Namespro since nothing is said when you request/receive them.

Don't all the codes come directly from CIRA, and do they really expire (at only at some registrars)?

Lastly, and I don't want to seem ungrateful or greedy, but is there any way this tool could unlock the domain at the same time too?
 
Last edited:
GoDaddy then refused to give me the Auth Code for 60 days even though the domains were not locked.
I wish I had known since I could have helped you. I found a solution to this after having similar trouble with GD.

The trick is to go to your domain manager and export a list of the domains you want. While going through the process, just make sure to check off the box that says "Include domain authorization codes?"

Then poof, you can get auth codes under any circumstance, without asking. Even when the specific function to request the auth code is disabled for whatever reason.

1661444986229.png
 
Last edited:
Lastly, and I don't want to seem ungrateful or greedy, but is there any way this tool could unlock the domain at the same time too?

OMG, I forgot that was a manual process at places like namespro as well, the code will do nothing if you cannot unlock the domain.

WHC and Canspace shine in this department, they use similar software and unlocking is as seamless as getting the transfer codes.


@Esdiel my guess is that will never happen because they would be intruding into the registrar space of services.
 
  • Like
Reactions: rlm
The trick is to go to your domain manager and export a list of the domains you want. While going through the process, just make sure to check off the box that says "Include domain authorization codes?"

I keep a local copy of that list, it's amazing the information you get if you ask it to include all fields, it's like a little treasure trove.
 
OMG, I forgot that was a manual process at places like namespro as well, the code will do nothing if you cannot unlock the domain.

WHC and Canspace shine in this department, they use similar software and unlocking is as seamless as getting the transfer codes.


@Esdiel my guess is that will never happen because they would be intruding into the registrar space of services.
Correct @MapleDots , we would not override a lock placed by a registrar as a routine automated process.
 
Thankfully I have private email for domains or I can see this contributing to a lot of spam.

Plus, if someone wanted to be an ass using visible corporate/business WHOIS data, they could fill up someone's inbox with fraudulent transfer codes and potentially scare the crap out of some poor intern. Let's say someone didn't like Company XYZ or its policies, it would be Mickey Mouse to create a mass influx of CIRA 'transfer code' email.

Then do it again tomorrow. And the next day...

I just read that it doesn't override the Domain Lock, so I'm off to lock all my domains down hard.

1661445714808.png
 
Plus, if someone wanted to be an ass using visible corporate/business WHOIS data, they could fill up someone's inbox with fraudulent transfer codes. Let's say someone didn't like the company or its policies, it would be Mickey Mouse to create a mass influx of CIRA transfer code email.

Also, I am assuming this procedure also unlocks the domain, which is kind of dangerous for valuable domains.

1661445714808.png
This procedure does not unlock the domain and frankly, if someone wanted "to be an ass using visible corporate/business WHOIS data", they don't need this process or app to do that.
 
frankly, if someone wanted "to be an ass using visible corporate/business WHOIS data", they don't need this process or app to do that.

I'm not really understanding this specifically regarding transfer codes, as previously you would either have to a) physically call the CIRA and identify yourself or b) login to your Registrar account, in order to request a Transfer Code.

I can attest there is nothing scarier than getting a pile of Official Domain Transfer emails direct from CIRA - I've had that happen with domain sales where the buyer never changed the contact email, and there was also that time BareMetal shut down several registrars and amalgamated under one, and I literally received hundreds of "Your Domain has been Successfully Transferred" emails.

I literally almost had a heart attack (my watch gave me a heart rate warning and I never get those) when the emails started pouring in. It was insane.
 
I just tried to request some auth codes for domains at Rebel (as a test) and it doesn't seem to work. Tried multiple times with multiple domains and I'm not getting any emails, whereas i get the emails instantly for domains at other registrars.

Might it have something to do with their auth codes expiring in 10 days? They also automatically unlock the domains when you request the auth code from their interface... maybe that has something to do with it?

Not a big deal since Rebel makes it easy to request the auth code but I thought i'd point it out.
 
I just tried to request some auth codes for domains at Rebel (as a test) and it doesn't seem to work. Tried multiple times with multiple domains and I'm not getting any emails, whereas i get the emails instantly for domains at other registrars.

Might it have something to do with their auth codes expiring in 10 days? They also automatically unlock the domains when you request the auth code from their interface... maybe that has something to do with it?

Not a big deal since Rebel makes it easy to request the auth code but I thought i'd point it out.
@Esdiel I have tried it personally for my domain (also registered at Rebel) and it worked fine. The only reason it would not work is if the pairing of the email and domain name did not match. If you want to email me directly at CIRA (richard.schreier@cira.ca) I can verify.
 
I can't see how it would contribute to much if any spam. Even if your email is in public whois, that's where they are going to get it from - no auth code request form needed. As long as they don't allow you to attach a message, spammers have nothing to gain by requesting auth codes on your behalf. That's the problem with the CIRA Registrant Contact Form, I occasionally get spurts of spam from that one (offering web design & hosting services), although not much in the past month, so maybe CIRA is monitoring the usage of that form for abusive IP's and email addresses and message content, all of which could be used to identify and block spammers. Or maybe it was too much effort for too little return. In any case, that seems to have subsided for now.

I have 5000 domains and have had more than 10,000 in the past, the vast majority have always had public whois, and I don't get hardly any spam. What I do get is very manageable. I hate the whole "spam" argument for having whois privacy. Based on my portfolio and public email and the amount of spam I get, I call bullshit on the entire spam argument. I would MUCH rather see the transparency of domain ownership. The spam argument is nothing more than a shield for those who want to hide.

As for the security of the new auth code retrieval tool from CIRA, lets discuss that.

At the lowest level of security employed at some registrars, you'd simply have had to hack a user's password at the registrar account level. Registrars that provide the auth code on demand in a web browser, and which have the registrant's email address as the account username, they have the least level of security. Its basically just one level - your registrar account password.

If your registrar's account username is something other than your registrant email address (like Baremetal does), then that adds a second piece of required info, your unique account username. So that's an added level of security.

If your registrar has two-factor-authentication, that adds another level of security required to overcome.

If your registrar only emails out auth codes to the registrant email, then that requires another level of security to overcome (hacking your email account).

You can also add a level of security at your registrar level by utilizing the "lock" mechanism that every registrar has in place, although, if they've already hacked your registrar account, then that lock is useless and adds zero protection.

You can also add a significant level of security by using two-factor authentication on your email account(s).

In the case of the CIRA auth code retrieval tool, it is indeed just the one level of security to circumvent (your own email account), but only if you have public (corporate) whois data. So unless that fits your scenario, there is really zero reason to complain about it. Zero. It's only a benefit to you to be able to complete a transaction without having to beg the usual suspects of registrars who are slow to respond or have their own agendas.

Now if you ARE a corporation with public whois, like myself, yes, you should be ultra concerned about getting your email hacked. Lets face it, if your email gets hacked, they can likely recover your username and password anyways, thus nullifying a couple levels of security listed above. And once that's achieved, the lock and authcode request is easily achieved, whether its through the registrar or CIRA.

So - does this auth code tool ACTUALLY make anything less safe for the domain owner? If you don't take care in choosing your registrar and make good security choices, sure, you can argue that it reduces the level of security down to simply hacking an email account. But as described, in many existing cases, this is all that's needed anyways. Hacking the email account allows you to recover a username, reset the password, unlock the domain, request the auth code, boom its gone. Your email is the primary linch-pin to all of this.

So as @richard.schreier says, there are various security options available to the Registrar. Renewal prices are certainly a key driver for domainers with large holdings. But other options such as security, domain redemption prices, bulk management tools and general hassle-factor are all involved. Choose wisely.

If you're concerned about security of your .CA domains, your best course of action is to:

1. use two-factor authentication on your email account.
2. use a registrar with good security practices, like two-factor authentication.
3. consolidate ALL your domains to a single preferred and trusted registrar as soon as 60-day holds are released.
4. consolidate all your domains and registrar accounts to a single registrant & email account.

No single course of action will secure your domains. The responsibility is on you to practice safe domaining.
 

Support our sponsors who contribute to keep dn.ca free for everyone.

New Discussion Posts

CatchDrop.ca

New Market Posts

Google Ad

Popular This Week

CIRA.ca

Popular This Month

Google Ad

Back