How to Win at Drop-Catch
In this blog, our CEO James Stevens reveals the secrets of Drop-Catch. For the last ten years James was the CTO at the dot-IO Domain Registry. He was the primary software developer behind their RFC compliant Registry Systems, writing the registry system from scratch. He also designed the cloud hosting architecture, operating systems, networks and security systems to protect the registry and publish the DNS.
What is Drop-Catch
Domain names are bought on a subscription basis. This is usually measured in years and can start with either a premium or discounted price for the first year. After that you pay an annual renewal.
After a domain subscription expires, for a period of time, the registry will almost always hold the domain in the name of the original owner, giving the owner some grace period within which to pay for a new subscription – this is called the Redemption Grace Period (RGP).
The length of the RGP varies considerably between different registries, but is typically between 30 and 90 days. During some of this period the name may remain working normally (i.e. remain in the zone file) or it may be removed from the zone file the day it expires. Again, this will vary from by registry. At dot-IO we gave domain names 90 days grace, with the first 30 days working normally.
Once the RGP has expired the name is deleted from the registry database, or goes into an irreversible delete procedure – the action of deleting from the database the name is called being “dropped”. Once the name is dropped it has effectively been returned to the open market where anybody can buy it. At this point, if the original owner decides they still want it, they will have to compete with everybody else to buy it back on the open market.
Be careful when buying
During the RGP, as far as the registry is concerned, the name usually remains the property of the original owner – however, this may depend on who the owner bought it through.
When buying from a registrar you really should take the time to read their terms of service. At dot-IO we used to sell domains both direct to the public, through what we called our “retail” interface, as well as through registrars like GoDaddy or NameCheap. Registrars like these would offer a large discount over the retail price we sold names at. However, in exchange for this discount you will have to accept their terms of service.
We tried to give people the same terms of service no matter which way they bought (retail or registrar), but when you buy through a registrar you are, additionally, agreeing to their terms of service as well as those of the registry.
The most common problem arose with expired names – names in RGP. Some registrars would charge a premium to renew a domain that had expired. This could be because they would also have to restore account data (e.g. mailboxes, websites etc) that had been automatically archived the moment the domain expired.
Other registrars had it written into their terms of service that, if the name was ever allowed to expire it would immediately stopped belonging to the original owner. At this point it would often become the property of the registrar, for the duration of the RGP – which could be up to 90 days. This then gives the registrar the opportunity to sell it through an in-house secondary market or auction service.
How does drop-catch actually work?
What a drop-catch service does is try and predict when a specific name's drop event is going to occur and be the first to buy the name as soon as it drops. At dot-IO, by far the best drop-catch operator we worked with was Park.IO.
Without fail, they would catch a name within a second or two of it dropping. Often people complained that the registry must be colluding with Park.IO, to let them get the best names as they dropped, but this was not the case. They had simply invested sufficient time and money in their drop-catch software, and into researching exactly when a specific name was going to drop – information the registry had made public to anybody.
Clearly with this kind of ruthless efficiency, somebody staying up late, waiting for the drop event, in the hopes of registering the name by hand, simply would not stand a chance of getting it.
The two things you need to catch a dropping name is (1) To know when it going to drop and (2) have a EPP interface to the registry, so you can be the first to catch it. Trying to catch a name by hand, for example using a WebUI, is only going to work if you aren't up against any competition.
The EPP Software
EPP is the protocol that registrars use to buy & maintain domains electronically with the registry. Collecting email uses IMAP or POP3, sending email uses SMTP and domain name maintenance uses EPP.
EPP is described in RFCs 5730/5731/5731/5733 & 5910 – all you need to do is read these documents and you can write your own EPP client to buy & sell domains directly with the registry.
However, others have already done this and there are a number of open source EPP client packages available – Google “epp client software” to find a few. Probably the most well know is those published by the registry operator CentralNIC.
Catching the Drop
Predicting the exact moment a name drops is going to be nearly impossible - even for the registry itself. The task of releasing the names at the end of their RGP is almost certainly completely automated. So even if armed with a list of the names that are going to drop, and the time the drop-batch runs, predicting the exact time any one particular name drops is simply not possible.
So the answer is brute-force. You pick a time as close to the drop as you can and start firing off as many [domain:create] requests (an EPP “buy a domain” request) as you can.
To begin with you will be returned an error telling you the domain already exists, usually error 2302 “Object exists”. However, the first domain:create you send after the name has been dropped will work and you should get a positive return code, say 1000 “Command completed successfully”.
If you are unlucky, and another drop-catch operator is going after the same name, they may get there first, and you will only ever get 2302 error codes returned.
Problems with this technique
One of the problems this technique gives is that registries will often throttle the rate at which you are allowed to send EPP requests. They don't want one irresponsible registrar overloading their servers and bringing all their systems down.
At dot-IO we used to throttle each session to 300 requests per minute. A timer would be started as soon as a request was received, then once the request had been answered we would introduce a deliberate delay before accepting the next request. This meant, on a relative idle session, we would still respond immediately to requests, but on a session that continuously fired hundreds of requests at us we would drag our feet a little.
Some registrars try to get round these sorts of restrictions by registering multiple registrar accounts with the same registry. The most closely fought over domain are, of course, dot-COM. DropCatch.com has been one of the most aggressive operators using this technique. In October 2015 it added 300 more registrars, bringing its total to over 750.
The more domain:create request they can fire at the registry around the time of the drop, the more likely they are to catch the name. Its a pure numbers game.
Assuming DropCatch.com’s registrars don’t qualify for discounted fees, it comes out to a staggering $6 million per year just in ICANN fees – and that's before you start adding in the cost of servers, bandwidth, staff and premises.
Is there an Alternative?
One alternative that some registries have offered is what have been called domain-backorders or domain-futures. Until Afilias took over the running of the back-end, dot-IO used to sell back-orders.
The dot-IO back-orders would last two years and put you first in the queue to receive the domain, if it would have otherwise returned to the open market. One of the reasons for offering back-orders was to level the playing field between the retail customers and the drop-catch operators. A retail customer, who was only interested in one domain, couldn't afford to invest all the time & effort in a drop-catch operation. Ironically, it was Park.IO that was the most prolific buyer of back-orders.
Now Afilias run the back-end, back-orders have been discontinued.
Why back-orders have never really become more popular with registries is not clear. It may be because the ICANN controlled gTLD registries are not allowed to offer them.
So the other registries may feel there was insufficient technical understanding of them leading to high support costs. They certainly created more support issues at dot-IO than simple domain sales, by quite a long way – but no so much that they wouldn't have been worth keeping.