People get tied to their registrar by using their DNS or other services. It's a mistake, but it's extremely common.
So if you have someone using GoDaddy, and everything is working, how do you sell them on the idea of migrating DNS or hosting or email if they've never had an issue?
There's been a story a few years ago that GoDaddy was blacklisting entire countries not only from their own website, but also from the DNS provided to their customers.
So, at a minimum, your website and email may not work worldwide if you're using the DNS disservice of GoDaddy.
I would NEVER use GoDaddy as a registrar, but if somehow that was a necessity, I would 100% NEVER use their DNS.
It does sound snarky, maybe GoDaddy was the cheaper option at one point and they stuck with it. I get that.
I use some square space for a lot of stuff, but it's largely because Google Domains sold out and the price is "fine." Sure, I could use something else, but this works, the cost is correct, and - I can't stress this enough - it already freaking works. I also use a python as a service tool I point at frequently. Their customer service is great, so I doubt this would ever happen there? But yeah, I'm not manually configuring a server somewhere most of the time.
Is it the "best" possible tool for the job? Not really, but it works well enough for the stuff I use and my workflows are already rock solid to deploy code to prod, etc. Is it because it's impossible for me to spin up a VPS or I'm too stupid to figure out Hetzner? Probably. But no, I've done it before, I could do it again, but that would take me X hours that I'm not getting paid for to migrate for limited utility, possible customer interruptions, and stress. I might need to migrate in a year or so, but until then, I'm not going to bother.
I reckon that's a similar sort of thing that happened here and depending on what they're doing business-wise, Lee could be insanely competent IT person and was just unlucky because the hammer he reached out for with GoDaddy actually turned out to be a foot gun that took years to fire.
It happens, it's not ideal, but it happens - I'm just glad they got it figured out and I'm glad that these sorts of events percolate up in the hn zeitgeist, because I definitely know who I won't be turning to in the future. Like, I kind of already knew GoDaddy was trash? I used them something like 10 years ago to spool up a website for a friend of mine. The whole experience was garbage then and I said, "never again" - but also that was kind of at the beginning of me even learning about how this stuff works? But I could totally see a scenario where I get snared into a product ecosystem and the opportunity cost of switching out of it outweighs staying put until it blows up in my face.
Read every alternative volunteered here. Imagine any world where in the next 5 years they can't be enshittified, sold to a predatory private equity, their support lines AI-ified, their headcount reduced by 40% without your knowledge, etc etc. 27 years is a very long time.
A competent IT person can have a backup plan for every expected failure. They can't control registrar level screw ups.
Companies explicitly selling you "bulletproof domains" like MarkMonitor have screwed up big time.
Also as an IT guy, asking to register a new domain with X is much easier than asking to transfer a long held domain away from Y.
Where would you host domains?
CloudFlare since they sell domains at cost and have really good DNS infrastructure with some free protection features. If the TLD isn't supported by them for registration then I'd just use their nameservers.
Or Route53 if you're using AWS since that makes it easier to integrate with the rest of AWS and manage in IaC, and AWS also has robust network/DNS infrastructure.
(I would say GCP if using GCP/Google Workspace, too, but since they split domains off to Squarespace I really don't know what is happening over there anymore as far as domains go.)
So far those 3 have been more than sufficient for all of my domain needs.
Domain registration and all other services should be separate. You don't want DNS, web hosting, mail hosting, etc. ToS applied to your registrar account because it increases the risk of the account getting locked.
I haven't had that experience at all with them before. I also don't put much stock in one off experiences from someone who is admittedly not in a situation that almost anyone else, much less someone registering their domains through GoDaddy currently, would find themselves in (i.e. operating an online casino and engaging in behavior that is very obviously a legal/ToS gray area at best).
> One is that since we are a casino…
This is kinda buried but the whole scenario makes a lot more sense with that context.
If it is extremely critical, MarkMonitor.
Otherwise, Porkbun or Cloudflare Domains if you're ok using their DNS.
What's good about MarkMonitor? All I see is Gartner-friendly buzzwords and AI generated "business people".
They specialize in domains management for businesses who consider their domain to be _very_ important. Think Google, Amazon, Microsoft, Wikipedia... (all of those are listed as clients on the wiki page)
As in "pay a lot of money", and we'll dedicate someone to your domain who makes sure that "giving a domain to a stranger without any documents" will _never_ happen.
a number of the largest companies that used to be 'clients' of markmonitor have now basically become their own domain registrars and have a direct relationship with ICANN. Amazon for instance. It's curious that google was one and has offloaded it to squarespace.
I'm pretty sure google never used them for their own domains, and the whole markmonitor/squarespace thing was their "google domains" product where they sold registrar services to others. Besides that they also are a registry for .app/.dev and others, but don't sell them via their own registrar anymore.
This is the best approach IMHO if you're a large, extremely valuable company registering a lot of domains.
I want to know this, too. My enterprise clients tend to like using it but that certainly doesn't mean anything.
See other sibling comments to yours, but you basically have named support contacts who would have been the human-in-the-loop ensuring that a situation like OP's can't happen.
I haven't spoken to them in like a decade, but they also offered other monitoring stuff like notifying you of likely phishing registrations, etc. And it's no longer novel now with options like Route53, but they used to be one of the only solutions with proper RBAC/delegation/audit logs.
I suspect you mean register/renew:
Depends. If it's something really high priority (like main domain for a large corporation) I'd likely be paying CSC 4 digit sums per domain per year.
For stuff a tier below that I'd be looking at companies that are serious about security and happen to do domains as well e.g. Cloudflare, Amazon
Literally anywhere else, GoDaddy is utter trash and has been for many years. Namecheap is the one I use personally.
Namecheap has had its own host of issues like a few years back breaking hsts and causing tons of sites to break for quite a while and their response was basically oh well. That incident along made me move my domains off to porkbun.
Porkbun uses cloudflare as their DNS backend, and has accidentally issued certs for domains hosted on them (https://news.ycombinator.com/item?id=40455508 was one instance).
Since cloudflare is basically the only registrar that will not allow you to host nameservers anywhere else I'd be weary to use them (even indirectly).
I do wish Namecheap's Dynamic DNS support supported IPv6 though...
Porkbum or Gandi or name.com
Gandi's support collapsed a couple years ago. Couldn't even get ahold of anyone with a pulse to help with transfers.
Gandi has started increasing prices like crazy in the last few years.
Why not?
GoDaddy is a valid domain registrar. The customer had dual MFA set up. The customer did all the right things.
I’ve never heard of Godaddy making this kind of egregious mistake before. I’ve heard of some doozies, sure, but nothing like this.
Don’t blame the victim. “It’s their fault they got robbed, they left their door unlocked” is not a valid response to a situation like that or like this. The robber still stole, and godaddy still broke their own rules, rules that customers pay to have enforced.
When you find yourself victim-blaming, you will find yourself on the wrong side.
Such a mistake should never happen, but it's not even about the mistake. It's more about how absolutely awful their support is to revert the mistake.
After you read this mess and still call it valid? Keep having it your way, we probably will read your tragedy post too.
Maybe you havent, but I and others certainly have heard of this kind of "mistake" aplenty from them. They're infamously bad for this kind of nonsense let alone their other more predatory practices such as frontrunning domain registrations.