Yesterday was a perfectly normal day. I had a coffee in my hand and had just finished eating a bite. I was playing around with some part of my newly designed website when suddenly I received a notification from my uptime service telling me that my website was down. I switched from Sublime Text 3 over to my browser and hit refresh and they weren't lying, it really was down. Allright, no need to panic, I got this. I was still logged in via
ssh and could still save the
html file I was just editing, so my server didn't seem to be the problem. Weird. Chrome was telling me that "kevingrahl.de’s server IP address could not be found."
Screenshot Google Chrome
Allright so let's check if everythings ok with my domain, I thought and headed over to Namecheap. Well shit. My domain kevingrahl.de, which I've used for years had just expired. I don't want to shift the blame to Namecheap, because clearly it was my fault not renewing the domain in time, but why the fuck didn't they send me some sort of reminder that my domain was about to expire? Domains with the country TLD .de (Germany) have some quirks: They can not be renewed later than 5 days before expiry. After that the domains enters what is called the "Redemption Grace Period" mandated by DENIC.
Redemption Grace Period for .de DomainsA cooling-off phase (called Redemption Grace Period – RGP) after deletion has been established for second-level domain names in the .de name space. This service protects domain holders against an unintentional loss of their domain(s) by accidental deletion.What is the Redemption Grace Period?If the registration of a .de domain is terminated, the deletion of the domain is followed by a 30-day cooling-off phase, the so-called Redemption Grace Period (abbreviated RGP). During the RGP, the deleted domain can only be re-registered for the last domain holder or for a third party named by the last domain holder. There is no charge for a Domain being in the RGP.
That doesn't sound to bad, eh? No charge for such a service that is intended to protect me from exactly what happened to me? I should be happy. But I'm not. You see while there's no charge for domains that end up in the RGP they do charge you if you actually want to use that domain again. DENIC explains this further down on their article about the RGP:
The re-registration of a domain name which is in the grace period for its last holder is associated with costs for the provider (registrar) acting on behalf of the holder. The domain holder must expect these costs to be passed on to them.
Namecheap seems to think that ~$210 (~€185) is a fair price for this. I do not. Would I register a new .de domain today via Namecheap it would cost me €6.07 (Renews at €9.60/yr). I could understand if it were 100-200% more than what they're asking for renewals. But from €9.6 to €185 is an increase of 1827% or 19.27 times more. To me that's usury. There is no way this price can be justified. They seem to prey on people who accidently lost their domain and need it back. Please note that I do not know if Namecheap or DENIC is responsible for setting this price.
Thankfully there is a way out of this mess without paying €185. I have to warn everyone reading this who's got a similar problem that this solution requires some luck and does not guarantee that you will get your domain back! Further down on DENIC's site they inform you that:
DENIC may deviate from the 30-day cooling-off phase for a domain in RGP, if the last domain holder waives the Redemption Grace Period by an explicit written declaration to DENIC.
What this means is I can send a letter to DENIC with some form of validation (I expect a copy of my government issued ID should do it) and then they prematurely end the otherwise 30 day RGP. I, and here's the catch, everyone else can register my domain immediatly after DENIC releases it. Here's to hoping I can register my domain again before anyone else will. However this will end it's sure to be a success!
“Success is stumbling from failure to failure with no loss of enthusiasm.”
― Winston S. Churchill
In the event that a third party gains ownership over my domain I'll have to buy a new one. It'll be a pain in the ass to recover all my accounts that use @kevingrahl.de email addresses but at least I dramatically reduced the chance of account takeovers by using a unique address for nearly every service. Should someone be in control of my domain kevingrahl.de they'd still need to know which email address I used for which service in order to reset the password. Those email addresses are not guessable. And of course the more secure accounts all have 2FA enabled.
I'd like to mention the completely uncapable Namecheap support agent who when asked if I could register my domain again if DENIC releases it early from RGP told me that he was "not authorized to assist me on this matter" and that I should "please contact DENIC" instead. WTF Namecheap?
In the meantime
Since only my domain is affected but my server is still fine I can use the domain tenebris.uber.space in the meantime. All parts of my website are static and generated by hand and there were a few instances where I linked sites or ressources with links containing my domain. I had to edit those out and replace them with relative links to make it work with this domain. I can't be sure I got everything so if you see some site where for instance there doesn't seem to be any styling of the page or images are missing please let me know.
Speaking about letting me know; I will not get any emails to all my addresses @kevingrahl.de until I have my domain back!
You can contact me via email@example.com
What you can learn from this
- Don't be stupid and forget to renew your domain
- Perhaps make a reminder and renew it a few months before it expires
- Maybe don't use links using a domain name on your website's internal links
- If you run your own mail servers: Have a backup ready in case something fails
I submitted this article to HackerNews where some people commented on it.