StatusDetector
Notebook
Internet Graveyard · Part 2 of 4
DomainsDNSExplainer

clientHold, redemptionPeriod, pendingDelete: every state your domain can be in, decoded

Domains do not simply go from 'active' to 'gone'. They pass through a precisely-defined sequence of states — most invisible to the owner until something breaks. Here is the full lifecycle, the EPP codes that mark each step, and exactly how long you have to react at every point.

StatusDetectorMay 11, 202612 min read

A domain disappearing from the internet is rarely instant. Behind the scenes it moves through a precisely-defined sequence of states governed by ICANN policy and the EPP protocol. Each state has a name, a duration, and specific implications for what the owner can do.

Most domain owners only learn about these states when something goes wrong. By that point, the most useful states are usually behind them. This post walks the full lifecycle, every status code you might see in a WHOIS / RDAP record, what each one means for the site that depends on the domain, and what action — if any — is still available.

The shape of a domain's life

The diagram in your head should be: a long flat line called "Active", a short downward staircase at the end called "Expired → Grace → Redemption → Pending delete," and then the cliff where the domain drops back to the public pool.

Most domains spend 99% of their life in "Active." The interesting questions live in the staircase.

Pre-life states

Before a domain is yours, the registry can mark it with one of two states.

pendingCreate

Some registries hold a freshly-submitted registration in a pending state while they verify the registrant's contact information. For most gTLDs (.com, .net, .org) this is invisible — the domain is active within seconds. For some ccTLDs (.it, .br, .au) the pending-create window can last days.

What it means for the site. Nothing yet. The nameservers aren't published until the state clears.

Not registered

The domain doesn't exist in the registry's database. Anyone can register it. This isn't an EPP code — it's the absence of a record. A WHOIS/RDAP lookup returns no data.

Active states

This is where domains live most of their life. The headline state is active, but it can be combined with any number of modifier states.

ok

Plain, unmodified, healthy. The domain is registered, paid for, and nothing about it is restricted.

What you'll see in RDAP. The status array contains "active" and not much else.

clientTransferProhibited / serverTransferProhibited

The domain cannot be transferred to a different registrar. The client prefix means the registrar set the lock; server means the registry did. Almost every production domain has a client transfer lock by default — it's a feature, not a problem.

Why it matters. When you actually want to transfer a domain, you have to unlock it first. Forgetting this is the #1 reason "I'm trying to move my domain and the new registrar says they can't accept it."

Terminal
$

clientUpdateProhibited / serverUpdateProhibited

Nobody can change the domain's records — registrant info, nameservers, DNSSEC keys — until the lock is removed. The server variant is rarer and usually applied by the registry only in legal-hold scenarios.

clientDeleteProhibited / serverDeleteProhibited

The domain cannot be deleted (returned to the registry / public pool). Banks, large platforms, and government domains typically have this set on critical names so a compromised registrar account can't immediately destroy them.

autoRenewPeriod (transient)

A short window (typically 0–45 days) after expiry during which the registrar has auto-renewed the domain on the owner's behalf but the renewal hasn't been confirmed yet. The owner has time to either pay or back out.

Trouble states (orthogonal to the lifecycle)

These can appear at any point in a domain's life. They are the difference between "registered but working" and "registered but completely offline."

clientHold

The registrar has removed the domain's nameservers from the registry. The domain still belongs to the owner, but the public DNS no longer points it anywhere — visitors get NXDOMAIN.

Other reasons: unpaid invoices (the registrar typically tries one or two grace cycles first), abuse complaints (phishing, spam, malware), or a court order routed through the registrar.

serverHold

Same effect — the registry has pulled the nameservers — but the registry, not the registrar, did it. This is rarer and harder to resolve. Reasons include trademark disputes resolved via UDRP, government takedown orders, and registrar-of-record loss.

inactive

The domain is registered but has no nameservers configured at all. Different from a hold — the owner has chosen not to publish any nameservers. Common with newly-registered "parking" domains.

End-of-life states

When a domain is not renewed, ICANN's lifecycle kicks in. This is the staircase.

pendingRenew and the grace period (0–45 days post-expiry)

The contract expired. Most registrars give a 30 to 45-day grace period during which the owner can renew at the standard price. During grace, DNS resolution depends entirely on the registrar's policy — some pull nameservers immediately, some wait days, some wait the full grace period.

What you'll see in RDAP. The expiration event date is in the past. The status may include pendingRenew or autoRenewPeriod.

Action. Renew immediately. After grace ends, recovery costs jump significantly.

redemptionPeriod (30 days)

The grace period ended without renewal. The domain enters a recoverable but expensive window. The registrar can still get it back for the owner — but redemption fees are typically $80–$150 on top of the renewal price. The redemption period lasts 30 days for most gTLDs.

What it means for the site. The site is offline. Nameservers were pulled when the redemption period began. Visitors get NXDOMAIN.

Action. Contact the registrar today. Tomorrow it costs more (well, not directly — the fee is fixed — but every day brings pendingDelete closer).

pendingDelete (5 days)

The redemption window closed. The registry has scheduled the domain for deletion. After this five-day window, the domain drops back to the public pool and anyone can re-register it.

Action. Almost nothing. The original owner cannot recover the domain at this stage. The only routes are:

  1. Backorder via a drop-catcher (SnapNames, NameJet, GoDaddy Auctions). These services attempt to register the domain the instant it drops. There is no guarantee — competing drop-catchers race for popular names.
  2. Negotiate with the next owner. Most dropped domains stay unregistered for months. If yours doesn't, the new owner may sell it back.

Dropped (publicly available)

The domain is back in the public pool. Anyone can register it.

How to read an RDAP record

Every domain status conversation is grounded in the same data. Here is the minimum you need to extract from an RDAP record to know where a domain stands.

Terminal
$

The four fields:

  • ldhName — the actual domain name (LDH = letters, digits, hyphens).
  • status — the array of EPP codes currently set. Compare against the codes above.
  • events — chronological list with at minimum registration, expiration, and last changed events.
  • nameservers — empty array means inactive or held. Non-empty means DNS is published.

The Domain Status Analyzer renders all of this in plain English, including the days-until-expiry math and the appropriate owner action checklist for each state.

DNSSEC complications

If the domain has DNSSEC enabled, a few extra states matter.

Signed at the parent

The parent zone (e.g. .com) has a DS record pointing at your domain's DNSKEY. The chain of trust is established. RDAP shows secureDNS.delegationSigned: true.

Bogus DNSSEC

The DS record at the parent zone doesn't match your zone's DNSKEY. Validating resolvers (Cloudflare 1.1.1.1, Google 8.8.8.8 with default settings, Quad9 9.9.9.9) return SERVFAIL. Non-validating resolvers (most ISP defaults) still answer normally.

Symptom. The site works for some people (the ones on non-validating resolvers) and is completely broken for others. Confusing for the owner; obvious for anyone with a DNS lookup tool and +dnssec.

Fix. Either republish the DS at the registrar to match the current DNSKEY, or remove DNSSEC entirely from the registrar's control panel and let the parent zone drop the DS over its TTL.

The owner action map

When you look up a domain and want to know what to do, the state alone tells you most of it.

When the domain belongs to a service that died

The other angle: you're trying to understand what happened to someone else's domain. A service shut down and you're trying to figure out if the domain is parked, redirected, or just dead.

This is the workflow we built the Domain Status Analyzer for. Paste the domain and it returns the lifecycle position plus the live RDAP record. For services in the Internet Graveyard, it cross-links to the graveyard entry — so you can see what the domain was alongside what it is now.

Frequently asked

My domain expired but the site still works. Why?

You're in the registrar's grace period. The registrar hasn't pulled the nameservers yet. Many registrars wait 0–10 days post-expiry before suspending DNS — some wait longer for established customers. Renew today; the moment they yank the nameservers the site is offline.

A registrar lifted my clientHold but the site still isn't loading.

Two reasons. (1) Resolver caches. Negative DNS responses (NXDOMAIN) get cached too — typically for 10 to 60 minutes depending on the resolver and your domain's SOA negative-cache TTL. Wait, or flush the resolver. (2) The registrar pulled the nameservers when they applied the hold; lifting the hold doesn't automatically republish them. Check that your NS records are still set at the registrar.

How long after pendingDelete will the domain actually drop?

For most gTLDs the pendingDelete window is exactly five days. The drop itself happens in a specific time window that varies by registry — for .com / .net (Verisign) it's between 11:00 and 14:00 UTC. Drop-catchers pre-position connections; competition for popular names is fierce in that window.

What's the difference between WHOIS and RDAP?

WHOIS is the legacy protocol — free-form text, inconsistent formatting across registrars, no formal schema. RDAP is the modern replacement — structured JSON, predictable fields, OAuth-ready, served over HTTPS. Every gTLD registry is required to support RDAP. We use RDAP everywhere in the Domain Status Analyzer.

The one habit worth adopting

Two scripts and you can stop worrying about most of this.

  1. A weekly cron that runs whois / RDAP on every domain you care about and emails you if expiration is within 45 days. Many registrars offer this, but theirs is tied to your account-of-record. If a registrant changes registrars, the notification follows the registrar, not the domain. Doing this yourself catches the gap.
  2. A startup probe that asserts clientHold and serverHold are absent. Three lines of shell. If either appears the script pages whoever is on call.

Domain shutdowns are not surprises. They are precisely-scheduled events. The infrastructure to read those schedules is public and free. The lesson of every dead service we've catalogued in the Internet Graveyard is the same — by the time the redirect lands on the registrar's "domain for sale" page, the warning signs have been visible for months in the RDAP record.

On this page26
  1. The shape of a domain's life
  2. Pre-life states
  3. pendingCreate
  4. Not registered
  5. Active states
  6. ok
  7. clientTransferProhibited / serverTransferProhibited
  8. clientUpdateProhibited / serverUpdateProhibited
  9. clientDeleteProhibited / serverDeleteProhibited
  10. autoRenewPeriod (transient)
  11. Trouble states (orthogonal to the lifecycle)
  12. clientHold
  13. serverHold
  14. inactive
  15. End-of-life states
  16. pendingRenew and the grace period (0–45 days post-expiry)
  17. redemptionPeriod (30 days)
  18. pendingDelete (5 days)
  19. Dropped (publicly available)
  20. How to read an RDAP record
  21. DNSSEC complications
  22. Signed at the parent
  23. Bogus DNSSEC
  24. The owner action map
  25. When the domain belongs to a service that died
  26. The one habit worth adopting

StatusDetector

We check whether a website, app, API, or domain is working, broken, expired, parked, or permanently shut down. Free, no signup — run a check or open the shutdown radar.

More from the notebook

selected by topic

DNS propagation isn't a thing — here's what's actually happening

The phrase 'DNS propagation' is misleading. There's no synchronous global update. What you're actually waiting for is a million independent caches to expire — and that timing depends on choices made by you, your registrar, and every resolver in between.

6 min

Why your DNS change isn't propagating: the five timers that actually govern it

'DNS propagation' has nothing to do with how long it takes. There is no single timer. There are five separate caches between your registrar and your visitors' resolvers — and you need to understand all of them to predict the answer to 'when will the new record be live?'

11 min

What `429 Too Many Requests` actually means, and how rate limits really work

Most rate-limit explanations stop at 'you went too fast.' That's true but not useful. Real rate limiters work in five different ways — token bucket, leaky bucket, fixed window, sliding window, concurrency cap — and the headers tell you which one you're hitting, when to retry, and how much budget you have left.

12 min
All posts