Domain registrars allowing joint admin accounts?
Posted by realGilgongo@reddit | sysadmin | View on Reddit | 33 comments
Does anyone know if there's a registrar out there where you can have more than one super user on an account? So you can have more than one person change credit card details, transfer the domain, for example - something I see Cloudflare doesn't allow.
jamesaepp@reddit
This topic makes me so angry with myself. I swear once upon a time I saw on this very sub someone mention a registrar who had SSO and RBAC capabilities (not Cloudflare) just like you ask.
I don't remember what it was, never saved it. I looked into it quickly - they had a heavy SSO tax, definitely weren't affordable, but it looked good if money wasn't a problem.
I think they started with "C" and it was a relatively short name.
realGilgongo@reddit (OP)
Thanks! Will check them out.
As an aside, it feels odd to me that for something as fundamentally important as domain reg, presumably millions of business of various sizes, F/LOSS projects, etc. are reliant on a single individual to log in and do things like change billing info or transfer in/out. Or am I misunderstanding?
jamesaepp@reddit
There is one clever low-tech solution to the general problem of joint custody accounts and I 100% steal this from someone else on this very reddit.
This process requires three administrators.
The password for a given account (ignoring MFA complexity for now) is split up into three individual tokens - A, B, and C.
Three admins are involved, Alice, Bob and Charlie.
Alice knows tokens A and B and records them in their own way.
Bob knows tokens B and C and records them in their own way.
Charlie knows tokens C and A and records them in their own way.
Whenever access to the account is needed, a minimum of two admins is required to take all the required tokens and concatenate them together. No one admin has access to the account by themselves. The system can tolerate the loss of a single admin for the purposes of replacing a new administrator and revoking the trust of the replaced administrator.
TechFiend72@reddit
till you hit the requirement of MFA to your cell phone. Then this falls apart immediately.
jamesaepp@reddit
Hopefully the vendor supports TOTP and the secret can be shared or split up between multiple people.
If the vendor only supports SMS verification, cell phone numbers are pretty easy to port.
realGilgongo@reddit (OP)
That would be ideal (and in fact isn't this the way ICANN do that root DNS keys thing?) - but sadly exists only in the realm of thought experiment, yes?
ApricotPenguin@reddit
To give an example of what the other person is saying:
Suppose the credentials for your account is:
ABC@example.com and CorrectHorseBattery
Alice knows the first half of the password: CorrectHorse
Charlie knows the last half of the password: HorseBattery
Bob only knows the beginning and end: Correct____Battery
Any combination of persons will be able to log in over a screenshare. This also assumes no one saves the password their their browser's password manager :P
jamesaepp@reddit
Not necessarily - as I said, it's low tech. The worst part of the system is asking the surrounding questions like what to do for MFA, how do account resets work (99% of the time it's just an email reset link, so how do you protect the email)? How do you scale that effectively to dozens of systems, etc.
Trivia - IANA is the best place to go for the root signing key stuff if you want to get a glimpse into how bureaucratic nerds can get. https://www.iana.org/reports/2024/root-ksk-2024.pdf
twaijn@reddit
Yes, Gandi supports multiple admins to an account, and you can have different levels of access too. And you can share a payment card for all admins.
The downside of Gandi is that new ownership hikes the prices yearly. But for corporate accounts the feature outweigh the prices.
fireman137@reddit
Cloudflare absolutely works this way.
realGilgongo@reddit (OP)
Unless at Enterprise level - otherwise billing, xfers, etc. can only be done by one person.
fireman137@reddit
I have the ability to set super admins, restricted admins and billing admins, and I only have a free account.
realGilgongo@reddit (OP)
Ah - I just created an account and I can see that too. The google searches I was doing were all from 2022 or before (wonder why they originally disallowed it?)
Particular-Dot-5956@reddit
Cloudflare definitely allows that. Not sure where you got that information.
realGilgongo@reddit (OP)
"Unless you have an Enterprise plan the Super Administrator role is delegated to only one use"
https://community.cloudflare.com/t/can-we-have-two-super-administrator-all-privileges/231219
Sorry, should have made clear I'm not able to pay for Enterprise level, nor do I need it to simply register domains.
xfilesvault@reddit
That link isn't true anymore. That's from 2020.
You can have multiple Super Admins without an Enterprise plan.
realGilgongo@reddit (OP)
Ah OK I just created an account and I see I can assign super admin to an invitee. OK, thanks!
AMoreExcitingName@reddit
Godaddy let's you have delegated access which I'm 99% sure can do what you want.
https://www.godaddy.com/help/what-is-delegate-access-12378
fardaw@reddit
We got around this issue with our registrar by having everyone scan the same otp qr cods and using 1pssword for sharing the password.
Even worse than the registrar is how apple does this for the account owner. No OTP there - You have to add everyone's phone number, one by one.
Otis-166@reddit
Check out Mark Monitor or CSC Global. Both are enterprise level and should have what you’re asking about. No clue on pricing though.
Alternative-Mud-4479@reddit
We’re in the middle of a domain migration to CSC and they definitely support multiple different types of admins through SAML SSO.
MostOwl5108@reddit
We use Lexsynergy. Check them out. Couldnt be happier
Brolossus_of_Rhodes@reddit
101domain.com is what we use - we only opened an account with them because we were buying a domain through escrow, and that's who the seller was using, but we ended up moving all out domains there because none of our other servers did RBAC as well. Sadly they don't have SAML, and only offer TOTP as a 2fa, which is non-ideal, but otherwise works fine.
If you need unphisable 2fa, namecheap also support this, and support u2f as a second factor, but sharing there is per-domain, not per-account, which gets really really unwieldy to manage if you have more than a few domains.
realGilgongo@reddit (OP)
Ah thanks - will check them out!
PlannedObsolescence_@reddit
Gandi & AWS Route 53 both have structures for multi-user permissions and organisations, and both have good APIs.
Although if you want to use completely different registrars for some A/B systems for DR reasons (so a disaster at Gandi for example doesn't cause an issue for both A & B systems), be aware that for some TLDs with Route 53 registar, AWS actually use Gandi behind the scenes.
scor_butus@reddit
I hate GoDaddy, but GoDaddy allows you to add teammates with a few levels of permissions.
tpwils@reddit
Their implementation of this is horrible in my opinion.
realGilgongo@reddit (OP)
I always hear bad things about them :-) But OK will check them out - thanks!
MattikusNZ@reddit
We use Gandi— has support for this (different levels of permissions for different roles)
VivienM7@reddit
Webnames.ca allows for that, at least if you have their enterprise stuff which is only a few dollars per domain per year.
6stringt3ch@reddit
Check out TotalUptime. I used them for load balancing a few years ago and they had the ability to add multiple accounts. They do DNS as well.
https://totaluptime.com/solutions/cloud-dns-service/
jamesaepp@reddit
I don't think that is what OP is after. They're asking about the registration side of a domain (i.e. the relationship between the end-entity and the registrar).
Your recommendation only appears to work for the DNS hosting side of a domain which is a trivial thing to accomplish - Azure, Amazon, Google, many others - they all do the DNS hosting with SSO/RBAC no issue.
6stringt3ch@reddit
Ah yes I missed that. Thanks for clarifying.