Whois redaction/privacy and ccTLD's

For this post, I will specify .uk domains, but I’m sure it probably apply for other european ccTLD’s as well, and probably most other ccTLD’s.

(most) ccTLD’s do not fall under ICANN rules; however Cloudflare registrar documentation seems to suggest they apply ICANN rules to all TLD’s they offer.

This is a problem for a few reasons that I can think of;

  • for .uk domains there is no 60 day transfer lock. Domains can be transfered immediately after registration and even during expiry.

  • for .uk domains, privacy for personal registrations is standard and is opt-out. Cloudflare actually reduce privacy on this ccTLD by exposing the registrants county and country in their own whois.

Also, there is a non-ICANN issue that is probably quite annoying; an arbitrary 10 day period of registration that must be left on the domain before transfer in to Cloudflare. As mentioned before, .uk domains can be transferred immediately and at any point during registration, including expiry.

As someone with a large domain portfolio, it’s not unusual for me to transfer domains much closer to the expiry date, for various reasons.

So, my feature request is:

  • That Cloudflare do not apply ICANN rules in respect to privacy (kind of urgent, imho) to these ccTLD’s;
  • And to be more flexible with regards to this 10 day period of registration requirement.


This is not correct. ICANN as an organization, has control over and responsibility for all domain names.

Per RFC 7020,

The Internet Registry (IR) hierarchy was established to provide for
the allocation of IP addresses and AS numbers with consideration to
the above goals. This hierarchy is rooted in the Internet Assigned
Numbers Authority (IANA) address allocation function, which serves a
set of “Regional Internet Registries” (RIRs); the RIRs then serve a
set of “Local Internet Registries” (LIRs) and other customers. LIRs
in turn serve their respective number resource consumers (which may
be themselves, their customers, “sub-LIRs”, etc.)

The Internet Assigned Numbers Authority (IANA) is a role, not an organization. For the Internet Numbers Registry System, the IANA role manages the top of the IP address and AS number allocation hierarchies. The Internet Corporation for Assigned Names and Numbers (ICANN) currently fulfills the IANA role in accordance with the IETF-ICANN “Memorandum of Understanding Concerning Technical Work of the Internet Assigned Numbers Authority”, which was signed and ratified in March 2000 [RFC2860].

Per the wiki article on IANA (Internet Assigned Numbers Authority - Wikipedia), IANA controls the DNS root zone, which all DNS recursive resolvers use as part of recursive DNS queries.

The Internet Assigned Numbers Authority ( IANA ) is a standards organization that oversees global IP address allocation, autonomous system number allocation, root zone management in the Domain Name System (DNS), media types, and other Internet Protocol-related symbols and Internet numbers .,

You probably want to read up on root name servers, DNS Server types and fully understand the output of dig +trace bbc.co.uk.


yes it has overall control, but that does not mean that ccTLD’s follow ICANN’s rules. .uk domains do not. For the threads sake, lets keep this in the context of domain registrations.

See the footnote on icann.org: What Does ICANN Do? - ICANN

* There is an important exception to this in the form of “country code top-level domains” (ccTLDs) such as .de for Germany or .uk for the United Kingdom. There are over 250 ccTLDs, some of which have a contract with ICANN; others of which have signed working agreements with ICANN; and some of which have yet to enter any formal agreement with ICANN. ICANN however does carry out what is known as the “IANA function” in which every ccTLD’s main address is listed so the rest of the Internet can find it. ICANN is also in the position where it can add new TLDs to the wider system, as it did in 2000 and 2004 when seven and six new TLDs respectively were “added to the root”.

Also, at : https://www.icann.org/resources/pages/faqs-2014-01-21-en

Two letter domains, such as .uk, .de and .jp (for example), are called country code top-level domains (ccTLDs) and correspond to a country, territory, or other geographic location. The rules and policies for registering ccTLDs vary significantly and a number of ccTLDs are reserved for use by citizens of the corresponding country.

Some ICANN-accredited registrars provide registration services in the ccTLDs, however, ICANN does not accredit registrars or set registration policies for ccTLDs. For details about ccTLD registration policies, you should contact the designated country code manager.

Each country-code top-level domain (ccTLD) is operated by an independent registry operator that sets policies to govern the registration and use of that particular ccTLD. Consequently, each ccTLD and its domain names is governed by a unique set of policies.

So, from https://developers.cloudflare.com/registrar/faq

ICANN requires that any transfer also extends the expiration date of your domain by at least one year — that is one year from your current expiration date, not one year from the date of transfer.

This is not the case for .uk domains. Further down in the document this is addressed, but it should be that the wording is changed to somethng like “ICANN requires that any transfer of gTLDs and some ccTLD’s also extends the expiration date of your domain”

ICANN prohibits domain transfers within 60 days of a change to the WHOIS data or registrar of a domain. If you modified your contact information, transferred registrars, or registered your domain in the last 60 days, Cloudflare will be unable to process your transfer immediately.

Yes, ICANN does prohibit, however this does not apply to .uk domains. There is no limitation to changes in this regard. The wording should be changed to something like "ICANN prohibits domain transfers within 60 days of a change to the WHOIS data or registrar of a gTLD and some ccTLD domains. (with more detail).

As well as documentation changes, there should also be logic changes during the transfer/registration process. Including the Cloudflare whois DB - I do not believe that the county and country of a registrant should be exposed, for reasons cited above.

Thanks for fixing this Cloudflare!

Sadly, this issue has returned - The Cloudflare whois DB is again showing registrant county and country for .uk domains. Why does Cloudflare even maintain a whois database for .uk domains when nominet itself maintains it, importantly, following their own rules regarding privacy.

Additionally, I’ve noticed that .uk domains cannot be transferred away from couldflare for 60 days, citing ICANN rules. However, .uk domains are not governed by ICANN and nominet does not place any restriction on transferring .uk domains. Meaning, at the other registrars I use, i can transfer a .uk domain away immediate after registration if I choose.

I recently registered a .UK domain with CF. In the CF dashboard, my domain’s WHOIS “Public Record” shows the State and Country. (Also, on a side note, the “Registry Domain ID“ is blank and the “DNSSEC:” shows as unsigned; but it is signed).

If I use CF’s RDAP/WHOIS query, the State and Country are redacted (although the Registry ID is present, and DNSSEC shows as “signedDelegation”).

A public (non-CF) WHOIS shows the fully redacted info for my domain from the Nominet Registry (along with DNSSEC correctly showing as “signed”).

It would interesting to learn more about these variances.