Domain Registry Locking: Insights and Trends in Adoption Among gTLD Industry Leaders

What is Domain Registry Locking?

As the digital landscape continues to evolve, the need for robust security measures has never been more pronounced. One such measure, Domain Registry Locking (RL), has gained attention for its role in protecting domain names from unauthorized transfers and modifications. Domain Registry Locking is a registry-level security service that places special Extensible Provisioning Protocol (EPP) status codes on a domain name for enhanced security on the individual domain. The status codes added to the domain name are “serverDeleteProhibited,” “serverTransferProhibited,” and “serverUpdateProhibited.”

However, despite its importance, adoption rates for registry locking remain relatively low across various domain registries. This article will look at Domain Registry Locking from a generic Top-Level Domain perspective as the first in a series of articles published by Markmonitor looking from a wholistic approach across the entire domain industry landscape.

In this article, we examine feedback from key stakeholders in the domain registry space to understand the current state of Registry Locking, its adoption rates, and potential avenues for increasing its usage. We engaged with some of the biggest gTLD registries and Markmonitor’s partners in the domain industry and gathered data and insights from Internet Naming Co, Google Registry, GoDaddy Registry (GDR), Public Interest Registry (PIR), .ART, Identity Digital, Verisign, and Radix, which form the basis of this analysis.

Current Adoption of Registry Lock

From the responses collected, it is evident that Registry Locking is not universally adopted at a large scale, though its potential remains significant. The data paints a picture of cautious engagement, often characterized by a lack of active marketing or promotion.

Registry Lock Usage in Numbers

• Internet Naming Co: Less than 1% of domains across their zones use Registry Lock.
• Google Registry: Approximately a few hundred domains, out of 1.5 million, have Registry Lock applied.
• Identity Digital: Just under 1,000 domains are using Registry Lock, with the highest numbers on high-volume TLDs like .info, .io, and .mobi. Looking at the statistics reported to ngtldstats.com, Identity Digital reports over 7.5M domains under management. Considering shy of 1,000 domains are utilizing Registry Lock for security of their domains shows room for growth in the domain industry.
• .ART: No active use or demand for Registry Lock, as their registrants have not expressed interest.
• Radix: No active use or demand for Registry Lock as their end users haven’t expressed interest in use.
• Verisign: With the security of .com names being paramount, Verisign has implemented Extensible Provisioning Protocol (EPP) to streamline Registry Lock requests.
• GoDaddy Registry (GDR): Figures on Registry Locked domains remain low, not a significant number compared to the DUM count of over 3M domain names.

Percentage of Total Domains Under Management (DUMs) Using Registry Lock

Across the gTLD sector of the domain industry, the percentage of domains under management (DUMs) utilizing Registry Lock is low, typically below 1%. This reflects a broader industry trend where Registry Lock, though important, has not yet seen widespread adoption. However, that does not indicate that Registry Lock will not achieve widespread adoption, as we’ll touch on in the next few sections, but we’ll first outline the procedures and protocols for the reader.

Procedures and Protocols for Registry Lock

Of the registry respondents who have implemented Registry Lock and actively use it, highlighting the procedures and protocols used is beneficial to better understand the complexity and effort that Registry Lock requires.

Verisign notes in their response that authorized individuals, both from a participating registrar partner and registrant, must provide Verisign with their Registry Lock request via email and then via phone call, providing their individual and unique security passphrase to remove or place any Registry Lock services on their domain to modify the domain or nameservers in any way. This approach is the standard approach for many gTLD registry operators who offer Registry Lock services, as it increases the level of security through multifactor authentication (MFA) and relies on individual security measures to make changes to the domain names under Registry Lock.

Identity Digital & Godaddy Registry included details about the implementation of Registry Locks to domain names under their respective managements and both are applied through the same multifactor authentication manner in which registrant’s contact their registrar to apply Registry Lock, the authorized individual at the registrar then contacts and verifies their identity with the registry to apply or remove the Registry Lock. One interesting thing to note during our research was that Identity Digital allows for domain names to be unlocked for specified amounts of time, with 72 hours being the maximum amount of time a lock can be removed from a domain.

Google Registry responded that they set up a number of authorized users from the registrar who are provided with a registry lock-specific account, linked to their registrar-issued email. These authorized users need to log into the Google Registry portal with the account Google Registry provide and additionally have access to their own email to provide a second factor of authentication, every time a registrant or registrar want to apply or remove a lock to a domain. In this way Google Registry feels they maintain a high standard of security, while removing extra process that may slow down urgent operations.

Some respondents did request streamlining the Registry Lock protocol via EPP commands; however, Markmonitor’s stance is that manual processes need to be in place to ensure the utmost security of our clients’ and the broader end-users’ domain names, especially high-value domain names and actively used domain names.

Perceived Value and Satisfaction with Current Adoption Rates

For most registry operators, Registry Lock is not seen as a core service driving significant customer engagement.

• Internet Naming Co: They have no specific expectations regarding Registry Lock adoption, as it is not actively marketed.
• Google Registry: Despite providing Registry Lock, Google Registry’s adoption numbers are modest, and they express a desire for greater awareness and usage among registrants.
• Identity Digital: They have a limited adoption rate, but the domains that use Registry Lock tend to be on higher-volume TLDs. However, Identity Digital acknowledges that they don’t proactively market the service.
• .ART: Since there has been no demand for Registry Lock, there is no dissatisfaction — simply a lack of need for the service.
• Radix: Similar response, the demand is low and the cost to implement does not meet the need.
• Public Interest Registry (PIR): They don’t actively promote Registry Lock. PIR suggests that a more proactive approach could increase usage.
• Verisign: Verisign was unable to provide data relating to their Registry Lock product, but we predict that, while larger than most registries, the percentage could still be in the single digits across all of Verisign’s extensions when looking at the amount of registered domains Verisign has under management.
• GoDaddy Registry (GDR): Registry Lock is not something they promote heavily; they do offer it if a customer (the registry operator of the top-level domain) requests.

The overall sentiment among registry operators is that while Registry Lock is a valuable security tool, the lack of demand from end-users and the absence of significant marketing efforts contribute to low uptake rates. When speaking with Google Registry, a senior member of the Google Registry Management team noted that “We have to lean on the registrar channel as they have direct engagement with end-users. We believe that having removed one of the most significant barriers to adoption, by offering Registry Lock at little to no cost compared to the rest of the domain industry – we revealed the next obstacle: need for broader education. Therefore, we support efforts centered on clearly communicating the benefits of registry-level protections to the public, in concert with our partners.”

Registry Lock: Marketing and Awareness Challenges

When asked about marketing efforts, responses indicated a clear trend: Registry Lock is not actively promoted. This lack of promotion appears to be a significant factor contributing to the service’s low adoption.

• Google Registry: They don’t engage in direct marketing for Registry Lock, primarily because it is an opt-in service for registrars. Their hesitance to engage in end-user marketing stems from the potential friction it could create with their reseller partners.
• Internet Naming Co: Similarly, they don’t engage in marketing for Registry Lock, citing the lack of active efforts to sell the service.
• Identity Digital: Acknowledges that they don’t actively market the service externally, but would be open to growing usage with more support from corporate channels like Markmonitor.
• .ART: There is no current marketing for Registry Lock, as it is not a demand-driven service for their registrants.
• Verisign: Provided a linked document outlining the benefits of Registry Lock, and why it’s an important part of your business’s security. Counter to the rest, they do engage in Registry Lock marketing efforts.
• GoDaddy Registry: They do not market it widely, with no plans to increase Registry Lock marketing.

Opportunities for Increased Registry Lock Adoption

Several respondents provided suggestions on how Registry Lock could see greater usage:

• Google Registry: They suggest the need for more general education about the security benefits of Registry Lock but recognize the challenge of promoting it without directly targeting end-users.
• Internet Naming Co: They believe that more marketing and awareness among corporate registrars like Markmonitor could help increase usage.
• Identity Digital: They are relatively satisfied with the uptake but acknowledge that adoption is still low, primarily among high-volume TLDs.
• Public Interest Registry (PIR): PIR highlights that if Registry Lock were to be marketed more directly, it would require system updates and a shift towards automation in the process.
• Verisign: Adoption is higher compared to other registries but understands the need for more awareness around the service, which is why resources for registrars and registrants was created.
• GoDaddy Registry: Instead of Registry Locks applied to a domain, they prefer registrants to block names via domain blocking products such as GlobalBlock or DPML.

Despite these insights, there remains a clear need for further education and awareness-building in the industry. The end-user adoption relies on understanding and the respondents believe this can be achieved through the corporate registrar channel.

Challenges in Increasing Registry Lock Adoption

While respondents agree that Registry Lock offers critical security benefits, various factors hinder its widespread adoption:

1. Lack of Awareness: Many registrants and even registrars themselves are not fully aware of the advantages that Registry Lock provides in safeguarding domain names from unauthorized changes or transfers.
2. Complexity in Marketing: Some registries, especially those that have opt-in models, are hesitant to market Registry Lock to end-users, fearing it may conflict with their existing relationships with resellers or registrars.
3. Manual Processes: For some registries, the reliance on manual processes rather than automated systems makes offering Registry Lock a more cumbersome task, contributing to the reluctance in scaling the service.
4. Cost Considerations: Although most responses did not indicate cost as a primary barrier, some registries did note that further price reductions are not feasible, suggesting that Registry Lock remains a premium service.

Future Outlook and Changes to Registry Lock

When asked about future plans for Registry Lock, the responses were generally conservative, most registries indicated that they are not planning significant changes to their Registry Lock offerings in the near future.  

• Google Registry: plans to expand adoption among registrars but does not have any immediate changes to the service itself.
• Internet Naming Co: is not planning any changes and does not actively market the service.
• Identity Digital: is also not planning significant changes, although they recognize that offering Registry Lock more proactively could lead to greater adoption.
• .ART: is not currently considering Registry Lock as a critical part of their offering.
• Radix: is not considering implementing a Registry Lock service as part of their offering. When comparing domains under management count and looking at ngtldstats.com, Radix has over 9M domains under management. Considering that Registry Lock is not a service this registry is going to implement, there is a large number of domains that do not have the option of an added layer of security that Registry Lock provides.
• Verisign: no plans to change current offering.
• GoDaddy Registry (GDR): No plans on changing the product, unless a specific feature of locking is asked for.

Domain Registry Locking: Security for Business-Critical Domains

While adoption rates are low, this isn’t unusual when taking into account the varying level of registrants who use domains, business decisions from registrars, and active usage of domains across all gTLDs in the industry. Registry Locking is a niche product that is only suitable for domains that are critical to a registrant’s business operations and require the extra layer of security that Registry Locking can give. The manual nature of the mechanism to lock a domain means it adds extra steps to the domain management process, and this can be laborious for some registrants and registrars. However, for those domains that fit into the business-critical bucket, we would strongly advise locking the domain because for these domains, the benefits of the increased security of your business-critical domain far outweigh the risks of unauthorized or unwanted changes to your domain. Registry Locking a domain that was secured as a defensive registration is not as critical as Registry Locking active and in-use domain registrations. 

The perceived low level of awareness of the Registry Lock product among registrants could be because not every registrant requires Registry Locking for their domains. Nor does every registrar offer Registry Locking as a service. A business that has a large portfolio of domains may only need to lock domains that are business critical, rather than any that are registered for brand protection purposes. Registrars who don’t have corporate clients who require Registry Locking don’t necessarily need to offer or market the service.  

Registrars could do more to advise their clients on which domains would benefit from locking which could increase adoption rates. Corporate registrars actively market Registry Locking as a beneficial tool that corporate clients can utilize to better secure their domain names. Of the other registrar types, retail registrars and reseller models, the same level of domain security may not be as paramount to their registrants as they are more diverse, with different needs and different priorities, and thus retail and resellers may not have as robust a Registry Locking offering.  

With that being said Registry Locking is still important to all registrars and registrants with some retail and reseller registrars having registrants with business-critical domains and that is when a Registry Locking service is vital for security. 

Interested in Leveraging Registry Lock on Your Business-Critical Domains?

Markmonitor has written insightful pieces detailing how Registry Locking can benefit brand owners, to quote  “… registry locking – it’s an often underutilized and yet vitally important security measure for safeguarding a business’s digital presence.” To learn more about how registry locking can assist brand owners with their domain security, please read the linked article.

We are committed to advocating for both our clients and the domain industry to help make the internet more secure and stable. We work closely with registry operators around the world, both gTLDs and ccTLDs, to promote the standardization and wider adoption of Registry Lock protocols through our engagement at ICANN and industry working groups. By acting as the trusted intermediary for our clients we are able to provide registry operators with key insights into challenges many brand owners may face when looking at domain security across their actively used domain names and standardizing these security measures ensures consistent protection across all domain extensions, making it easier to prevent unauthorized changes and respond quickly to threats.

We believe that having strong, uniform registry lock protocols benefits not just our clients, but the entire internet community. Our passion for security drives us to lead these efforts because protecting domains is essential for building trust and stability online. At Markmonitor, we are dedicated to helping create a safer internet for brands, businesses, and users everywhere by pledging to increase the amount of Registry Lock protocols through collaboration with registry operators and an increase in standardized practices across the domain name industry.