Registry Lock: The Ultimate Domain Protection

## What Is Registry Lock? A **registry lock** (also called a premium lock or server lock) is the highest level of protection available for a domain name. Unlike a standard registrar lock — which is a setting in your registrar account that you can toggle yourself — a registry lock requires manual, out-of-band verification from the registry operator or a specialized registrar team before any change can be made to the domain. When a domain is registry-locked, the EPP status codes include `serverTransferProhibited`, `serverUpdateProhibited`, and `serverDeleteProhibited` — flags set by the registry, not the registrar. Because these flags live at the registry level, they cannot be changed through the registrar's normal account interface, no matter who is logged in. This is the key distinction: an attacker who completely compromises your registrar account still cannot transfer, update, or delete a registry-locked domain. The lock lives one layer above the registrar. ## EPP Status Codes Explained You can inspect your domain's EPP status codes via WHOIS Lookup Tool. The relevant codes for locking are: | EPP Code | Set By | Blocks | |---|---|---| | `clientTransferProhibited` | Registrar | Outbound transfers | | `clientDeleteProhibited` | Registrar | Deletion | | `clientUpdateProhibited` | Registrar | DNS/contact updates | | `serverTransferProhibited` | Registry | Outbound transfers (cannot be overridden by registrar) | | `serverDeleteProhibited` | Registry | Deletion (cannot be overridden by registrar) | | `serverUpdateProhibited` | Registry | DNS/contact updates (cannot be overridden by registrar) | A registry-locked domain should show all six `server*Prohibited` flags, plus the corresponding `client*Prohibited` flags from the registrar. ## Who Should Use Registry Lock? Registry lock is designed for high-value, high-risk domains where the consequences of hijacking would be severe. Consider it for: - **E-commerce domains** that process payments — a hijacked domain could redirect customers to a phishing checkout. - **Financial services** — Banks, payment processors, and fintech companies routinely lock their primary domains. - **SaaS and cloud services** — A domain change could break authentication, API calls, and customer access for thousands of users. - **Brand-critical domains** — A company's primary domain is its identity; loss of it can cause permanent brand damage. - **High-traffic media and news sites** — Redirecting a popular site can spread misinformation at scale. Registry lock is less necessary for low-traffic hobby domains or development domains where the cost and friction of the unlock process outweigh the risk. ## How the Registry Lock Process Works The exact process varies by registry and registrar, but the general pattern is: **Locking the domain:** 1. Contact your registrar's enterprise or security team (not standard support). 2. Request registry lock activation. 3. Provide identity verification — typically matching the registrant details on record. 4. The registrar submits a lock request to the registry. 5. The registry sets the `server*Prohibited` flags. 6. Confirm via WHOIS Lookup Tool that all server-level flags are active. **Unlocking for a legitimate change:** When you need to make a change (such as updating nameservers), you must go through an out-of-band verification process. Depending on the registrar, this might involve: - A phone call to a pre-verified number with a verbal passphrase. - A video call with identity document verification. - A hardware token or cryptographic challenge. - A physical mail confirmation. This friction is intentional. The unlock window is typically short (a few hours), after which the lock re-activates automatically. ## Cost and Availability Registry lock is not universally available and is not free: - **Availability by TLD**: All major gTLDs (`.com`, `.net`, `.org`) support registry locking. Many ccTLDs do as well. Some newer gTLDs have limited support. - **Registrar availability**: Not all registrars offer registry lock. Enterprise-focused registrars (MarkMonitor, CSC, Safenames, Gandi Business) typically do. Confirm before choosing a registrar if lock capability is a requirement. - **Cost**: Expect to pay $100–$500+ per year per domain for registry lock service. Prices vary widely by registrar and TLD. - **Minimum contract**: Some registrars require a managed DNS or enterprise agreement to access registry lock. ## Limitations Registry lock protects against unauthorized changes through the registrar system. It does not protect against: - **DNS-layer attacks** — Enable DNSSEC separately. - **Hosting/server compromises** — Registry lock only covers the domain, not the servers it points to. - **Legitimate-looking social engineering** — An attacker who successfully passes the registry's out-of-band verification can still make changes. The process is designed to make this extremely difficult, but not impossible. ## Registry Lock vs. Registrar Lock: Summary | Feature | Registrar Lock | Registry Lock | |---|---|---| | Set by | Registrar | Registry | | Override via account? | Yes (owner can toggle) | No | | Requires out-of-band verification? | No | Yes | | Cost | Free | $100–$500+/year | | Suitable for | All domains | High-value domains | For most domain owners, the registrar lock plus strong 2FA (Two-Factor Authentication for Domain Accounts) is sufficient. For business-critical domains, add registry lock. Combine both with the full Domain Security Checklist for comprehensive coverage.