Registry Lock

A registry-level service that disables automated EPP changes to a domain, requiring an out-of-band manual process (phone or signed authorisation) to modify nameservers, contacts, or transfer status.

Registry lock is a high-assurance domain protection product offered by major registries (Verisign for .com/.net, Identity Digital for many gTLDs) on top of the standard EPP client*Prohibited status flags. Once enabled, no EPP command from the registrar can change NS, registrant, transfer status, or delete the domain. Unlocking requires a manual authentication ritual with the registry: phone calls, passphrases, designated personnel. Facebook, Google, Microsoft, and most banks use registry lock on their primary domains. It is the standard defence against the registrar-compromise hijack pattern (attacker takes over a registrar account and changes nameservers to steal traffic).

Related terms

Registry
Registrar
Auth Code (EPP)
EPP

Referenced on

Complete Guide to DNS Attacks and DNS Security (Prevention, Testing & Mitigation)
DNS Hijacking Explained: How Attackers Take Control of Your Domain's Resolution

Back to the full glossary

Related terms

See also

Referenced on