Background

My website is on .co.nz. And so is my email. I want good security for my domain registration, because hacking domains allows you to intercept email, and intercepting email allows resetting passwords on other services.

A minimum bar for "good security" in 2020 is two-factor-authentication support, or 2FA. However, it seems relatively few .nz domain registrars offer this. This post summarizes my research into which registrars do.

Finding Registrars

Domain registration in NZ is handled by the Domain Name Comission (DNC). DNC lists all the authorised NZ registrars. Other websites can sell .nz domains, but are resellers.

DNC's wholesale price is 15NZD/year, so you won't see prices lower than that.

Whois Privacy

I'd like whois privacy. It's been available for NZ domains since 2018.

  • The Individual Registrant Privacy Option (IRPO) is for individual registrants that are not using the domain name for significant trade.

All NZ registrars are required to provide this, but most international registrars go through resellers and don't support whois privacy. So I want an official NZ registrar that the DNC deals with directly.

Research

I went through the registrars listed, and a few big international ones. I'm looking for ones that fill me with confidence - 2FA and preferably big enough to invest in a security team. I've (a bit harshly) ruled out a lot of sites that don't inspire confidence, through being small, having bad web design. These businesses are probably fine, but I'm explicitly prioritising security and confidence.

NameAuthorised nz Registrar?.nz Domains?2FA?co.nz Price/YearPricing URL2FA URLComment
1stDomainsYesYesNo25.50 NZDhttps://1stdomains.nz/register/I've filed a feature request, they don't have itI used to use 1stdomains for their low prices.Just ridiculous that they don't have 2FA in 2020. UI hasn't updated in ~10 years, which doesn't inspire confidence that they have an empowered dev/security team.
GandiYesYesYes34.73 AUD (~22 USD)https://www.gandi.net/en-AU/domain/tld/nzhttps://docs.gandi.net/en/account_management/security/totp.htmlHuge international player. More confident in their security. More expensive
MetanameYesYesYes25 NZD + GST(?)https://metaname.net/my/pricinghttps://metaname.net/public/two_factor_authenticationUI is quite bad. Registering with their UI is a pain. I ran into bugs in uploading zones, had to email them, they manually fixed my data but AFAICT didn't fix the underlying issue. Not confidence inspiring
GoDaddyNoYesYes34.95 AUDhttps://nz.godaddy.com/domainsearch/find?checkAvail=1&tmskey=&domainToCheck=asdfasdf.co.nzhttps://au.godaddy.com/help/enable-two-step-verification-7502Probably OK security, but they're a reseller, so probably don't support whois privacy.
Google DomainsNoYesYes28 AUDhttps://support.google.com/domains/answer/6010092?hl=en&ref_topic=3314003https://www.google.com.au/landing/2step/Probably great security, but they're a reseller, so don't support whois privacy. Google Domains now actually allows you to buy with a billing address in Australia (you used to have to fake it to the USA): https://support.google.com/domains/answer/4639612?hl=en. But not New Zealand billing addresses. Wild.
namecheap.comNoNoYesDoesn't support .nzhttps://www.namecheap.com/domains/registration/results/?domain=asdasdf.co.nzhttps://www.namecheap.com/security/2fa-two-factor-authentication/Doesn't support .nz
AWSNoYesYes24 USD = 36 AUDhttps://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-register.htmlhttps://help.hover.com/hc/en-us/articles/217282267-How-to-Enable-two-step-sign-in-on-your-Hover-accountProbably great security, but they're a reseller, so probably won't support whois privacy.
Hover.comNoYesYes24.99 USDhttps://www.hover.com/domains/results?utf8=%E2%9C%93&q=asdfasdf.co.nzhttps://help.hover.com/hc/en-us/articles/217282267-How-to-Enable-two-step-sign-in-on-your-Hover-accountLot of podcasts talking about Hover! But they go through resellers for .nz domains
iwantmyname.comYesYesYes24.90 AUDhttps://iwantmyname.com/?domain=asdfasdf.co.nzhttps://iwantmyname.com/blog/2015/06/getting-started-with-iwantmynameTheir support page is broken. Everything redirects to https://iwantmyname.com/support/faq Reddit says they're NZ based and have 2FA: https://www.reddit.com/r/newzealand/comments/761wge/good_domain_registrar/doc7lxf/. 2FA is by authy.
name.comYesYesYes35.99 USDhttps://www.name.com/domain/search/asdfasdf.co.nzhttps://www.name.com/two-step-verificationPretty expensive
register.comYesYesNo75.00 USD!Had to put it in cart, couldn't find a pricing pageCan't find any 2FA info.Wildly expensive
instra.comYesYesNoUnknownNeed to sign up to see pricingCan't find any 2FA info.No pricing transparency, no thanks
publicdomainregistry.comYesYesNo$10 (must be USD)Wholesale onlyCan't find any 2FA info. Moot anywayThey're a wholesaler only, don't offer retail domains.
Free Parking NZYesYesYes47.95 NZDhttps://secure.freeparking.co.nz/order/index/D/fpD/?domain=asdfasdf.co.nzhttps://www.freeparking.co.nz/two-factor-authenticationQuite pricey. But good to see them supporting Google Authenticator
ai.net.nzYesYesNo36 NZDhttps://www.ai.net.nz/domain-namesCan't find any 2FA info
voyager.net.nzYesYesNoN/AThey just redirect to 1stdomains: https://voyager.nz/business/domainsCan't find any 2FA infoThey just redirect to 1stdomains
openhost.net.nzYesYesNo39.95 NZDhttps://openhost.net.nz/store/index.php?NAME_PATH=DOMAINS_PATH&SCREEN=DOMAINSEXTENSION_SCREEN&dialog=newListsCan't find any 2FA info.
inspire.net.nzYesYesNo45 NZDhttps://www.inspire.net.nz/services/domains.htmlCan't find any 2FA info.
godomains.co.nzYesYesNo24.99 NZDhttp://www.godomains.co.nz/domain-names/search/?domain=asdfasdf.co.nzCan't find any 2FA info.Their header logo 404s. Doesn't inspire confidence. I emailed them on their contact email and got "Your message wasn't delivered to contact@godomains.co.nz because the domain godomains.co.nz couldn't be found. Check for typos or unnecessary spaces and try again."
tppinternet.co.nzYesYesNoCan't find any 2FA infoTheir site doesn't load
nownz.co.nzYesYesNoCan't find a pricing pageCan't find any 2FA info
ourschool.co.nzYesYesNoCan't find any 2FA infoFocussed on schools
websitebuilder.nzYesYesNoCan't find any 2FA info
crazydomains.co.nzYesYesYes31 NZDhttps://www.crazydomains.co.nz/domain-names/search/?token=001d1df9de0e618df713cb113e454bff&domain=asdfasdf.co.nzhttps://www.crazydomains.co.nz/help/how-to-enable-or-disable-two-step-verification-system/Doc search is broken, had to hack the URL on the Australian site to get it to show me the .co.nz 2FA stuff. Doesn't inspire confidence.
domains4less.co.nzYesYesNo24.95 NZDhttps://secure.domains4less.co.nz/order/index/D/d4lD/?domain=asdfasdf.co.nzCan't find any 2FA info
sitename.co.nzYesYesNo29 NZD + GSThttps://www.sitename.co.nz/registerCan't find any 2FA info
webconnect.nzYesYesNo32 NZDhttps://www.webconnect.nz/cart.php?a=add&domain=registerCan't find any 2FA infoRegional provider for Hawke's Bay
iserve.nzYesYesNo20 NZD + GSThttps://iserve.nz/Can't find any 2FA infoOwned by VOCUS. Site looks lo-fi.
netvalue.nzYesYesNo50 NZDhttps://www.netvalue.nz/domain-name-pricingCan't find any 2FA infoHamilton. Open source consultants. Doing domains on the side
www.godzone.net.nzYesYesNo24 NZDhttps://www.godzone.net.nz/Can't find any 2FA infowow this is a really old website design
domainagent.co.nzYesYesNowholesale onlyhttp://www.domainagent.co.nz/Can't find any 2FA infowholesale only
webaddress.co.nzYesYesNowholesale onlyhttp://www.webaddress.co.nz/Can't find any 2FA infowholesale only

Edit, June 2020: I missed https://www.onlydomains.com/, who have two-factor-auth, and sell worldwide (so might have the economy of scale to have a good security team) and are based out of Hawkes Bay!

Conclusion

I think I'll go with Gandi. They're a huge international operator with a long history and a big enough dev team to support an API, they probably also

Runner-up prize would go to Metaname. They were the first in NZ to do 2FA (as early as 2013!), and I tried their site, but it was very lo-fi, hard to use, and I found a few bugs, particularly with importing zones, and when I emailed them about this, I got good support (in that they reached into my domain and fixed the problem) but they didn't fix the underlying bug that caused me to get into a bad state in the first place. I don't want to have to contact them every time I get into a bad state. Sorry Metaname!

A lot of people recommend iwantmyname.co.nz as a NZ-based operator that's clued up, but their support pages are currently all broken, all redirecting to the same blog post from 2014, and that doesn't inspire confidence.

crazydomains.co.nz has reasonable prices, but their site search is broken, which doesn't inspire confidence. And they're part of an international outfit (crazydomains.com.au looks exactly the same) which increases the chance that they'll be big enough to support a security team.

freeparking.co.nz is probably fine but is quite expensive.

It's a real shame, but I think operators that only serve the NZ market are unlikely to have enough economy of scale to support a security team. There would be ways around this — contracting with some of the excellent security companies in NZ might be an alternative?

Prior Art

Comments

Discuss this post on: