Home 零对冲(ZeroHedge)每日HackerNews

永远不要购买.online域名
Never Buy A .online Domain

原始链接: https://www.0xsid.com/blog/online-tld-is-pain

超过二十年来,作者一直坚持使用.com域名,但最近通过Namecheap的促销活动尝试了.online顶级域名。这看似简单的0.20美元购买很快变成了一场令人沮丧的经历。 设置几周后,该网站被谷歌标记为“不安全”,最终消失,显示“网站未找到”错误。调查显示,该域名已被注册商Radix置于“serverHold”状态,且未提前通知。问题源于Safe Browsing黑名单,但解决它却陷入了困境:谷歌要求通过DNS记录进行域名验证,但由于域名无法解析,这变得不可能。 尽管向谷歌和Radix提交了多次报告和请求,作者仍然无法摆脱困境,无法重新获得控制权。这次经历凸显了使用非.com顶级域名的风险,立即进行Google Search Console验证的重要性,以及即使对于简单的登陆页面,也需要监控正常运行时间。最终,作者失去了该域名,并重申了未来坚持使用.com的承诺。

## .online域名与谷歌的影响力 – Hacker News 总结 Hacker News 上的一场讨论围绕着用户在使用 .online 域名时遇到的问题,该域名因被 Google Safe Browsing 列入黑名单而被暂停。核心问题在于谷歌的标记机制很容易导致注册商暂停域名,而域名所有者几乎没有补救措施。 用户们对谷歌日益增长的影响力以及其黑名单机制缺乏透明度表示担忧。 许多评论者强调了申诉这些决定的难度,尤其是在失去 DNS 控制权之后。 建议在出现问题*之前*将域名添加到 Google Search Console,以便于申诉。 讨论还涉及更广泛的“劣质化”趋势,以及私募股权所有权对 Gandi 和 Namecheap 等域名注册商的影响。 一些人建议坚持使用 .com 域名,而另一些人则承认替代顶级域名 (TLD) 在特定用途上的价值。 最终,该帖子强调了人们对中心化控制日益增长的沮丧,以及域名系统中潜在的任意审查。
相关文章
原文

I’ve been a .com purist for over two decades of building. Once, I broke that rule and bought a .online TLD for a small project.This is the story of how it went up in flames.

Namecheap's Alluring Offer

Earlier this year, Namecheap was running a promo that let you choose one free .online or .site per account. I was working on a small product and thought, "hey, why not?" The app was a small browser, and the .online TLD just made sense in my head.

After a tiny $0.20 to cover ICANN fees, and hooking it up to Cloudflare and GitHub, I was up and running. Or so I thought.

The Disappearing Act

Poking around traffic data for an unrelated domain many weeks after the purchase, I noticed there were zero visitors to the site in the last 48 hours. Loading it up led to the dreaded, all red, full page "This is an unsafe site" notice. The site had a link to the App Store, some screenshots (no gore or violence or anything of that sort), and a few lines of text about the app, nothing else that could possibly cause this. [1]

Clicking through the disclaimers to load the actual site to check if it had been defaced, I was greeted with a "site not found" error. Uh oh.

Initial Recon

After checking that Cloudflare was still activated and the CF Worker was pointing to the domain, I went to the registrar first. Namecheap is not the picture of reliability, so it seemed like a good place to start. The domain showed up fine on my account with the right expiration date. The nameservers were correct and pointed to CF.

Perplexed, I ran a quick dig NS getwisp.online +short. Empty.

Maybe I had gotten it wrong, so I checked the WHOIS information online. Status: serverHold. Oh no...

Stuck in No-Man’s-Land

At this point, I double checked to make sure I hadn't received emails from the registry, registrar, host, or Google. Nada, nothing, zilch.

I emailed Namecheap to double check what was going on (even though it's a serverHold [2], not a clientHold [3]). They responded in a few minutes with:

Please be informed that the domain name has been placed on hold not by Namecheap but by the corresponding registry that operates all the domains of this TLD regardless of what registrar they are registered with. Commonly, this registry places domains on hold due to being involved in abusive operations. Unfortunately, the issue cannot be resolved from our end since this is not Namecheap who suspended the domain.

Cursing under my breath, as it confirms my worst fears, I promptly submitted a request to the abuse team at Radix, the registry in our case, who responded with:

The domain name getwisp.online has been suspended due to its blacklisting on Google Safe Browsing. To get the domain unsuspended, please follow the delisting instructions mentioned on the listing page. Once the domain is delisted, kindly update us and we shall proceed with the unsuspension request.

The Verification Catch-22

Right, let's get ourselves off the damned Safe Browsing blacklist, eh? How hard could it be?

Very much so, I've now come to learn. You need to verify the domain in Google Search Console to then ask for a review and get the flag removed. But how do you get verified? Add a DNS TXT or a CNAME record. How will it work if the domain will not resolve? It won't.

As the situation stands, the registry won't reactivate the domain unless Google removes the flag, and Google won't remove the flag unless I verify that I own the domain, which I physically can't.

I've tried reporting the false positive here, here and here, just in case it moves the needle.

I've also submitted a review request to the Safe Search team (totally different from Safe Browsing) in the hopes that it might trigger a re-review elsewhere. Instead I just get a No valid pages were submitted message from Google because nothing resolves on the domain.

As a last resort, I submitted a temporary release request to the registry so Google can review the site’s contents and, hopefully, remove the flag.

A Series of Unfortunate Events

I've made a few mistakes here that I definitely won't be making again.

  • Buying a weird TLD. .com is the gold standard. I'm never buying anything else again. Once bitten and all that.
  • Not adding the domain to Google Search Console immediately. I don't need their analytics and wasn't really planning on having any content on the domain, so I thought, why bother? Big, big mistake.
  • Not adding any uptime observability. This was just a landing page, and I wanted as few moving parts as possible.

Both Radix, the registry, and Google deserve special mention for their hair-trigger bans and painful removal processes, with no notifications or grace time to fix the issue. I'm not sure whether it's the weird TLD that's causing a potentially short fuse or whether I was brigaded earlier with reports. I'll never know.

Oh well, c'est la vie. Goodbye, $0.2.

Notes

[1] A mirror can be found here to verify the site contents.

[2] serverHold is set by the registry and is a royal pain to deal with. Usually means things are FUBAR.

[3] clientHold is set by the registrar and is mostly payment or billing related.

联系我们 contact @ memedata.com