Sunday 23rd December 2018
This week I transferred all of my domain names to the brand new Cloudflare Registrar. I took screenshots throughout the process and have documented them here for anybody else who has not yet done the transfer, and wants to know what to expect before diving in.
The Cloudflare Registrar product page at: https://www.cloudflare.com/products/registrar/
In my case, I did a bulk transfer of all of my domains except for the most important one at first, then once I could see that everything was going through properly, I transferred jamieweb.net as well.
In order to transfer domain names to Cloudflare, they must already be activated in your Cloudflare account and have their name servers pointing to Cloudflare. Once you have transferred your domain names in, you cannot use external name servers - you are locked to using Cloudflare's own.
After clicking onto the domain registration area of your Cloudflare dashboard, you will be immediately prompted to verify your email address. Your email address is probably already verified for your Cloudflare account, but this extra verification is required in order to be compliant with the ICANN regulations.
Cloudflare Registrar prompting me to verify my email address.
Even though my Cloudflare account email address is different to the one used on WHOIS, the verification was still required.
This sent an email to the address with a link to verify the address. I really dislike it when you are required you visit untrusted links in emails in order to verify things or perform actions. I personally would really like to see more websites that send verification codes that you can easily copy and paste or type in, rather than links. If the code is the right length then this also wouldn't be a problem for users who open the email on a different device to where the verification is required.
I forwarded the email to a disposable sandbox machine where I could safely click the link in order to verify the email address. I clicked the link...
Cloudflare prompting me to log in with my username and password in order to verify my email address.
Unfortunately it required me to log in with my username and password in order to verify the email address. It's poor security practice to provide credentials after clicking a link, especially to Cloudflare which is probably one of the most important accounts people own. Maybe it was a strange ICANN rule requiring the log in?
I contacted Cloudflare support to raise my concerns over this and ask whether it could be changed to not require logging in. They responded promptly saying that they had asked the relevant team if this could be changed, which is a positive and security-first response.
In order to get around this limitation temporarily, I signed into Cloudflare using an incognito tab, then copied the path and query string from the verification URL and added them to the pre-filled Cloudflare scheme, host and domain name from my bookmark. The result of this is that when visiting the link, the network location is not untrusted, which greatly reduces the risk of the untrusted link.
Cloudflare indicating that my email address is now verified.
Next, you need to add a payment method if you haven't already, which is easy enough.
Cloudflare prompting me to add a payment method to continue.
Once a payment method has been added if required, you can proceed to select the domains you wish to transfer.
The domain name selection screen for choosing which domain names to transfer to Cloudflare.
Once you have confirmed your selection, an instructions screen is presented.
The domain name transfer instructions screen.
In my case, I logged in to Hover (my previous registrar) and disabled the domain transfer lock.
The Hover dashboard for jamieweb.net.
Disabling transfer lock for jamieweb.net in the Hover dashboard.
Once you have disabled transfer lock, you can request or generate a transfer authorization code for your domain, then enter it into Cloudflare.
Entering the transfer authorization code into Cloudflare.
Once the authorization code has been accepted, you can set the domain name contact information that will be used in WHOIS.
Entering the desired WHOIS contact information for jamieweb.net.
Finally, you can finalize and accept the transfer.
The final transfer confirmation button.
The final confirmation screen.
Once the transfer is underway, the domain name status box in your domain settings on Cloudflare will show that the transfer approval is pending.
The domain name status box showing that the transfer approval is pending.
The transfer may take a few days to go through. In my own case, transferring from Hover took around 5 days. Once the transfer is complete, you will receive an email and the domain name status box will show it as well.
The domain name status box showing that the domain name registration is now on Cloudflare.
The transfer process was extremely straightforward and free of complications. Once I had started the transfer I just let it do it's thing, and I was confident that the transfer would go through without any problems. DNSSEC continued to work after the transfer too, without requiring me to manually update the records.
I've done domain transfers in the past between other registrars, and often it can be a long and convoluted process involving transfer fees and verification pages that look like phishing websites. This was definitely not the case when transferring between Hover and Cloudflare.
The restrictions of Cloudflare Registrar are important to note though, such as the fact that you cannot use custom name servers for your domain. I guess that Cloudflare are hoping that you will pay for some of their other services in return for offering the domain names with no markup at wholesale prices.
I am very happy with Cloudflare Registrar so far, and I will be continuing to use it for my domain names in the future. I also look forward to trying any new features that the service has to offer.