Fix Domain Locked - DNS Update Failed

Introduction

Domain locking is a security feature that prevents unauthorized changes to your domain registration, including DNS nameserver updates, domain transfers, and contact modifications. When a domain is locked, attempts to change nameservers or other registration data fail at the registrar level - your DNS zone may have correct records, but the registrar won't accept the update. Understanding lock types and how to safely remove them is essential for DNS administration.

Symptoms

Nameserver update rejected by registrar
"Domain is locked" error in registrar control panel
Cannot change DNS settings despite correct zone configuration
Domain transfer attempts blocked
Registrar shows domain status codes indicating locks
DNS updates pending indefinitely at registrar
TLD servers still show old nameservers

Common Causes

ClientHold or ClientTransferProhibited status codes
Registrar-level domain lock enabled
Domain in transfer process (pending status)
Expired domain with registrar lock
Fraud or dispute lock applied
Registrar verification requirements not met
Domain registered with special restrictions (some TLDs)

Common Causes

ClientHold or ClientTransferProhibited status codes
Registrar-level domain lock enabled
Domain in transfer process (pending status)
Expired domain with registrar lock
Fraud or dispute lock applied
Registrar verification requirements not met
Domain registered with special restrictions (some TLDs)

Step-by-Step Fix

1.Check domain status codes using WHOIS.

```bash # Query WHOIS for domain status: whois example.com | grep -i "status"

# Or use: whois example.com | grep -E "Status|status"

# Common status codes: # clientTransferProhibited - Cannot transfer domain # clientUpdateProhibited - Cannot update registration info # clientDeleteProhibited - Cannot delete domain # clientHold - Domain disabled (DNS doesn't work) # serverTransferProhibited - Registry-level lock # serverUpdateProhibited - Registry-level update block # serverHold - Registry-level hold

# Detailed WHOIS: whois -h whois.verisign-grs.com example.com

# For .com/.net domains # For .org: whois -h whois.pir.org example.org

# Check DNS still works despite lock: dig example.com A +short # clientTransferProhibited doesn't affect DNS # But clientHold disables DNS ```

1.Identify which lock is preventing your specific change.

```bash # Different locks block different operations:

# clientTransferProhibited: # - Blocks domain transfer to another registrar # - Does NOT block nameserver changes # - DNS updates work normally

# clientUpdateProhibited: # - Blocks ALL registration updates including nameservers # - DNS changes blocked at registrar level # - Zone file changes don't propagate

# clientHold: # - Domain is completely disabled # - DNS queries return NXDOMAIN at TLD # - All services stop working

# clientDeleteProhibited: # - Blocks domain deletion # - Other changes may still work

# server* locks: # - Registry-level, usually require special handling # - Often legal/regulatory holds

# Check what you're trying to do vs what's blocked: whois example.com | grep -i status ```

1.Check registrar control panel for lock settings.

```bash # Most registrars have lock toggle in control panel:

# Common registrar locations: # GoDaddy: Domain Settings -> Domain Lock # Namecheap: Domain List -> Manage -> Registrar Lock # Google Domains: Registration -> Security -> Domain lock # Cloudflare Registrar: Domain Overview -> Lock Status # AWS Route 53 Domains: Domain details -> Security options

# Look for settings like: # - "Domain Lock" # - "Registrar Lock" # - "Transfer Lock" # - "Lock/Unlock Domain"

# Some registrars require: # - Authentication (2FA) # - Verification email # - Support ticket for certain locks ```

1.Verify domain is not expired or in grace period.

```bash # Check expiration date: whois example.com | grep -E "Expiration|Expiry|Registrar Registration Expiration"

# Common expiry-related states: # - Expired: Domain past expiration, DNS may stop # - Redemption Grace Period: Expired but recoverable (extra fee) # - Pending Delete: About to be deleted

# If expired: # 1. Renew domain immediately # 2. Wait for renewal to process # 3. Locks may be removed after renewal

# Check registrar for renewal: # Log into registrar -> Domain details -> Renewal status

# After renewal, DNS changes may still be blocked until: # - Payment processed # - Grace period ends # - Domain fully restored ```

1.Remove domain lock through registrar controls.

```bash # Unlock domain at registrar:

# GoDaddy: # 1. Log into GoDaddy # 2. My Products -> Domains # 3. Click domain -> Domain Settings # 4. Domain Lock -> OFF # 5. Save changes

# Namecheap: # 1. Log into Namecheap # 2. Domain List -> Manage # 3. Registrar Lock -> Unlock # 4. Confirm

# Google Domains: # 1. Log into Google Domains # 2. Click domain # 3. Registration -> Security # 4. Domain lock -> Turn off

# AWS Route 53: # 1. Route 53 Console -> Domain registration # 2. Domain details -> Security options # 3. Domain lock -> Unlock

# After unlock, verify status changed: whois example.com | grep -i status # clientTransferProhibited should be removed

# Wait 15-30 minutes for WHOIS to update ```

1.Handle server-level locks (registry locks).

```bash # server* locks are registry-level, not registrar-level

# Check for server-level locks: whois example.com | grep server

# serverTransferProhibited # serverUpdateProhibited # serverHold # serverDeleteProhibited

# These require: # - Contacting registrar support # - Registrar contacts registry # - Special verification process

# Reasons for server-level locks: # - Legal disputes (UDRP proceedings) # - Court orders # - Fraud investigation # - Registry policy violation # - Government requests

# Resolution: # 1. Contact registrar support # 2. Provide requested verification # 3. If legal dispute, resolve through appropriate channel # 4. Registrar requests registry to remove lock

# This can take days to weeks ```

1.Check for pending transfer status.

```bash # If domain transfer in progress, changes are blocked

# Check transfer status: whois example.com | grep -i pending

# pendingTransfer - Transfer initiated # pendingDelete - About to be deleted # pendingRenew - Renewal processing # pendingUpdate - Update processing

# If pendingTransfer: # - Domain transfer to another registrar started # - Both registrars may block changes # - Wait for transfer to complete or cancel

# Cancel transfer (at losing registrar): # Log in -> Domain transfers -> Cancel outgoing transfer

# Or wait for transfer to complete (5-7 days typically)

# During transfer: # - Nameservers stay as they were # - DNS continues to work # - Zone file changes at old registrar may be blocked ```

1.Verify contact and ownership information.

```bash # Some registrars require verified contact info for changes

# Check contact verification status: # Registrar control panel -> Domain details -> Contact info

# Common requirements: # - Email verification (click link in email) # - Phone verification (enter code) # - Identity verification (upload documents)

# If verification pending: # - Complete verification process # - Check registrar emails for verification links # - Some registrars send renewal/verification reminders

# Check WHOIS for contact status: whois example.com | grep -E "Registrant|Admin|Tech"

# If contacts incomplete or flagged: # Update contact information at registrar # Complete verification process ```

1.Update nameservers after lock is removed.

```bash # Once domain unlocked, update nameservers:

# At registrar control panel: # Domain Settings -> Nameservers/DNS # Update to your DNS provider's nameservers

# Example nameservers by provider: # Cloudflare: lara.ns.cloudflare.com, bob.ns.cloudflare.com # AWS Route 53: ns-123.awsdns-12.com, ns-456.awsdns-45.net # Google Cloud: ns-cloud-a1.googledomains.com, ns-cloud-a2.googledomains.com # Azure: ns1-01.azure-dns.com, ns2-01.azure-dns.net

# After update: # 1. Verify registrar accepted change # 2. Check TLD servers for new delegation:

dig @a.gtld-servers.net example.com NS +short

# TLD update may take 15-60 minutes for .com/.net # Longer for some other TLDs

# Monitor propagation: while true; do ns=$(dig @a.gtld-servers.net example.com NS +short | head -1) echo "$(date): $ns" sleep 60 done ```

1.Re-enable locks after changes complete.

```bash # Best practice: Keep domain locked except during changes

# Re-enable lock at registrar: # Domain Settings -> Domain Lock -> ON

# Verify lock is active: whois example.com | grep -i "clientTransferProhibited"

# Benefits of keeping locked: # - Prevents unauthorized transfers # - Blocks hijacking attempts # - Protects against accidental changes

# Only unlock when needed: # - Changing nameservers # - Transferring to new registrar # - Updating contact information

# Lock again immediately after change completes ```

Verification

Complete domain lock verification:

```bash # 1. Check all status codes echo "=== Domain Status Codes ===" whois example.com | grep -E "Status|status"

# 2. Verify locks removed as needed echo -e "\n=== Expected Status ===" # For normal operation: clientTransferProhibited (optional security) # For DNS changes: NO clientUpdateProhibited # For domain to work: NO clientHold or serverHold

# 3. Test DNS resolution echo -e "\n=== DNS Resolution ===" dig example.com A +short dig example.com NS +short

# 4. Check TLD delegation echo -e "\n=== TLD Delegation ===" dig @a.gtld-servers.net example.com NS +short

# 5. Verify registrar settings echo -e "\n=== Registrar Check ===" # Log into registrar and verify: # - Lock status shows unlocked (if making changes) # - Nameservers are correct # - Contact info verified # - Domain not expired

# 6. Monitor for changes echo -e "\n=== Post-Change Monitoring ===" # After nameserver update, monitor TLD: watch -n 60 "dig @a.gtld-servers.net example.com NS +short" ```

Domain Status Code Reference

```bash # Client-level (registrar) status codes: clientTransferProhibited # Safe to keep, prevents transfer clientUpdateProhibited # Remove for nameserver/contact changes clientDeleteProhibited # Prevents accidental deletion clientHold # REMOVE - stops DNS working

# Server-level (registry) status codes: serverTransferProhibited # Registry lock, contact support serverUpdateProhibited # Registry lock, contact support serverDeleteProhibited # Registry lock, contact support serverHold # REMOVE - stops DNS working

# Pending statuses: pendingTransfer # Transfer in progress pendingDelete # About to be deleted pendingRenew # Renewal processing pendingUpdate # Update processing

# Other statuses: ok # Normal, unlocked state inactive # No nameservers set ```

Registrar Lock Quick Reference

Registrar	Lock Location	Unlock Method
GoDaddy	Domain Settings > Domain Lock	Toggle to OFF
Namecheap	Domain List > Manage > Registrar Lock	Click Unlock
Google Domains	Registration > Security	Toggle off
Cloudflare	Domain Overview	Request unlock
AWS Route 53	Domain details > Security	Security options
Network Solutions	Account Manager > Domain	Manage locks

Domain locks are security features, not bugs. Proper workflow: unlock domain, make changes, verify propagation, re-lock domain.

How to Fix Domain Locked: DNS Update Failed

Introduction

Symptoms

Common Causes

Common Causes

Step-by-Step Fix

Verification

Domain Status Code Reference

Registrar Lock Quick Reference

Share this guide

More DNS Troubleshooting Guides

Fix DNS RPZ Reaction NSDNAME Not Blocking Queries

Fix DNS DDNS GSS-TSIG Kerberos Authentication

Fix DNS SVCB HTTPS Record Service Binding

Fix DNS ZONEMD Record Integrity Validation Failing

Fix DNS CDS CDNSKEY Automatic DS Update Not Working

Fix DNS NAPTR Record ENUM Translation Failure