Zoom outage caused by accidental 'shutting down' of the zoom.us domain
315 comments
·April 17, 2025Animats
electroly
GoDaddy Registry operates the .us registry. You cannot have a .us domain without their involvement. Consider whether you wanted a .com domain instead (which is operated by Verisign).
throw_a_grenade
zoom.com is an audio equipment manufacturer, which was there before zoom.us.
I guess that's what happens where they had to accept substandard domain, because they were unwilling to be creative about their name.
thih9
> zoom.com is an audio equipment manufacturer
False, the audio equipment manufacturer uses: https://zoomcorp.com/
The https://zoom.com domain shows content from the video chat platform.
dtgriscom
I always assumed that Zoom reacted to security/privacy concerns about its association with China by getting a "*.us" domain that sounded very United States.
redbell
But the dot com domain is now owned by Zoom Communications or just Zoom (as we know it). If you type "zoom.us" in your browser, you will be redirected to https://www.zoom.com/
yahoozoo
This is … Zombocom.
CPLX
They've had zoom.com since at least 2019 or so. It used to just be a redirect to Zoom.us though they've made a switch since then.
Fokamul
Maybe after recent US events, everything will move to .ru TLD
rhubarbtree
Incidentally, Zoom seems a terrible name for a video conferencing app - anyone know why they chose it?
redbell
> The whole point of paying for MarkMonitor is that they're an expensive service for valuable domains
A while ago and, out of curiosity, I did a Whois Lookup to see what big tech companies are using as their domain registrar and found that Microsoft, Google, Amazon, Tesla, Netflix and Shopify are all using MarkMonitor. On the other hand Apple uses "Nom-iq Ltd. dba COM LAUDE", Meta (and its children) uses RegistrarSafe and Nvidia uses SafeNames.
jenny91
RegistrarSafe is a registrar spun up by Meta for precisely the purpose of guarding their own domains and isn't open to external customers.
snowwrestler
That’s interesting, Apple used to use CSC, which is the “other” big corporate registrar, competitor to MarkMonitor.
conradev
Many of those also run their own gTLDs, too: .apple, .google, etc
debarshri
I guess they are paying markmonitor because of their ability to reach out to Godaddy and get stuff resolved.
Imagine being a small startup with a similar problem. Godaddy will not even entertain you.
Maxious
GoDaddy runs the root dns for .us
mentalgear
GoDaddy is the rot of us domains, besides being rotten culturally as well
dawnerd
Wait really? I use a .us domain for personal stuff, that.. makes me want to reconsider.
NewJazz
Also .us domains don't have who is privacy.
unethical_ban
I understood what you meant. I can understand why someone would want to clarify the terminology for those who don't know DNS well.
AStonesThrow
> GoDaddy runs the root dns for .us
.us is not the “root DNS” and your misidentification is muddying the waters.
.us is a TLD (Top-Level Domain) and more specifically, a ccTLD (cc = ‘Country Code’).
https://en.wikipedia.org/wiki/.us
And the English Wikipedia says that its registrar is a subsidiary of GoDaddy named “Registry Services, LLC”.
The root DNS servers and registry are not run by GoDaddy or a subsidiary.
https://en.wikipedia.org/wiki/Root_name_server
They are operated by important entities. Not companies that release sexy commercials featuring Danica Patrick. I keep getting confused between GoDaddy and Carl’s, Jr.
bawolff
I think its clear from context they mean the .us TLD, and not the root zone, since obviously it wouldn't make sense to talk about the root zone for .us.
Its also very reasonable to use the more well-known name of the parent company to describe sonething done by its subsidary.
gjsman-1000
[flagged]
thayne
Well, another point of MarkMonitor is to get access to ccTLDs with requirements that are more difficult for you to meet yourself. Like needing to have a physical address within the country. MarkMonitor has offices in a bunch of countries just to meet that requirement, so they can sell ccTLD domains to customers.
The legality of that system seems a little questionable to me, but IANAL.
fsckboy
>The whole point of paying for MarkMonitor is that they're an expensive service for valuable domains
the whole point of MarkMonitor is more in the trademark realm, rather than a cloud sysop role.
"Mark" is what trademarks are called in the ... trade.
TheDong
MarkMonitor isn't at fault here.
If you register a ".ps" domain, it doesn't matter if you use MarkMonitor or Namecheap, they can't help you when the ongoing genocide results in the removal of Palestine as a country and ".ps" no longer is a valid country code top level domain.
Similarly, if you register a .us domain instead of a ".com", ".net", or ".org", MarkMonitor can't help you when GoDaddy inevitably screws up.
History has borne this out: .com domains are well-managed. ccTLDs like '.io', '.su', and '.fj' have all had significant security or availability issues because they're run by "eh, whoever the hell the country picks" with no standards.
Financially, a proper gTLD also can't raise prices unilaterally and weirdly, while if you pick a ccTLD, the country has free reign to arbitrarily change prices, delete your domain, take over your domain, etc etc.
Do not use a ccTLD.
Hackbraten
There are countries whose ccTLD registrars are impeccably well-run and have been for decades, such as DENIC, the entity that oversees the .de ccTLD.
If you're based in Germany, I don't see a reason why you would want to avoid .de domains.
NewJazz
There are definitely exceptions, and having a connection to the country in question helps, but unfortunately countries seem to enshittify in different but similar ways as old companies.
immibis
Them being subject to the pretty draconian laws of Germany is a minus for most people if they had no other reason to have to follow those laws (such as not being in Germany).
chrismorgan
>>> This block was the result of a communication error between Zoom’s domain registrar, Markmonitor, and GoDaddy Registry, which resulted in GoDaddy Registry mistakenly shutting down zoom.us domain.
That sounds like MarkMonitor is at least partly at fault here.
subscribed
Mark Monitor have issued a correct request for the `serverUpdateProhibited`, but GoDaddy changed the code to `serverHold` instead.
100% on the GoDaddy staff.
NewJazz
I mean, one person is saying what to do and the other person is doing it. And the person doing things is taking down zoom.us... Also knowing who godaddy is and what they do...
chrismorgan
> Financially, a proper gTLD also can't raise prices unilaterally and weirdly, while if you pick a ccTLD, the country has free reign to arbitrarily change prices, delete your domain, take over your domain, etc etc.
Look into what’s happened with pricing on domains like .org and .info. They’re increasingly absurd, with the restrictions on price increases that once were there largely being removed, at the pushing of the sharks that bought the registrar. Why are these prices increasing well above inflation rate, when if anything the costs should go down over time? Why is .info now almost twice as expensive as .com?
agwa
Although the .org price caps are gone, the registry has to raise prices uniformly for all domains. They can't target popular domains for discriminatory pricing. ccTLDs can.
grasps
[flagged]
slackr
ICJ judges in The Hague, including Israel’s appointed judge, deemed it necessary to remind Israel to respect the Palestinians’ right to not be genocided away. https://en.m.wikisource.org/wiki/South_Africa_v._Israel_(Ord...
busy_m
[dead]
lrvick
To try to convince my employer at the time to drop Zoom, I decided to see how many security vulns I could find in 2-3 hours.
Found 12 confirmed bugs in that window using only binwalk and osint.
The worst was that I noticed the zoom.us godaddy account password reset email address was the personal gmail account of Eric S Yuan, the CEO.
So, I tried to do a password reset on his gmail account. No 2FA, and only needed to answer two reset questions. Hometown, and phone number. Got those from public data and got my reset link, and thus, the ability to control the zoom.us domain name.
They were unable to find a single English speaking security team member to explain these bugs to, and it took them 3 months to confirm them and pay me $800 in bug bounties, total, for all 12 bugs.
The one bright side is this did convince my employer to drop them.
jaxefayo
How long ago was this? A few years ago they were hiring aggressively for security team members in the US, including a dedicated fuzzing team. I’m guessing this was from early on when Zoom was just getting popular?
lrvick
About 7 years ago
null
popcalc
You're admitting to committing a felony?
MiguelX413
White hat hacking is fine.
popcalc
If you password reset my personal Gmail account I will sic the FBI on your tail without a second thought. Not cool.
18172828286177
Godaddy is such an incompetent organisation. Should not be allowed to administer anything of importance.
nom
It's easy to blame GoDaddy, but 'miscommunication' takes two.
You pay Markmonitor a shitload of money to make sure this doesn't happen. They should have dedicated people at GoDaddy and direct communication channels.
This is a significant fuckup on Markmonitor's part, even if GoDaddy did something different than was requested from them.
Hobadee
I can guarantee you that miscommunication doesn't always require 2 people.
Source: Have been OH SO EVER PRECISCE AND EXACT in my communication with certain idiots, and they still screw it up. Several instances of "put this here carefully", only to return and find it all the way across the room upside-down and broken, come to mind.
subscribed
Mark Monitor have correctly asked for `serverUpdateProhibited`, GoDaddy changed the code to `serverHold` instead.
I don't know why you're trying to spin it as Mark Monitor fault.
gavinsyancey
Where are you getting that from? I don't see that info anywhere on the linked page. Is there more information published elsewhere, or do you have insider knowledge?
hinkley
Who knew a company who ran ads with women dressed like Hooters waitresses would turn out to be a fucking clowncar. I mean what are the odds?
null
ajdude
A few years ago I had a .us TLD. I eventually decided that I probably shouldn't be reliant on a country code for my domain, it's the same reason why I don't use .io
I'm not saying that this couldn't have happened with a gTLD But why put your brand at the mercy of a government like that?
lucb1e
What TLD is not subject to a country's laws? .aq? .su?
Edit: .eu might be an even better candidate for this requirement, but you can ask British former domain owners how that worked out
gTLDs just subject you to an additional layer of incompetence, namely from the company running it. The government where they're located can still come knocking. It's also not like e.g. .nl is run by the Dutch government officials, it's a nonprofit started by some people in the 80s iirc
belorn
gTLDs are regulated by ICANN. As much as an organization can achieve to be a global multistakeholder group, at least the intention is to be global.
ICANN have a mostly hand-off approach to ccTDLs. The intention is that each country decide on their own regulations and management when it comes to their country code specific domains.
.nl is a very special case, and it is true that the Dutch government was not involved. .nl was the first country code TLD created outside of the US, when the domain system still was part of ARPANET and operated by the United States Department of Defense. .nl was then transferred to a foundation 10 years later, and that's where ownership now resides.
ccTLDs are somewhat of a mess. Many are created in universities, then transferred to a company or foundation. Others were sold to companies from the start. In some cases, government have sold their ccTLD to other countries.
.se for example was created in a Swedish university, and then later the government took possession of it (or the university gave it to them, can't really say). Now there are laws that explicitly defines how it should be used and governed, which then a non-profit foundation manage the implementation.
immibis
IIRC one of the Balkan countries physically stole the DNS servers of another one's ccTLD.
agwa
> gTLDs just subject you to an additional layer of incompetence, namely from the company running it.
ccTLDs also have to be run by some organization, which is often a private company. Maybe the country's oversight over this organization is better than ICANN's oversight over gTLD operators. Maybe it's not. Historically, the worst technical incidents have occurred at ccTLDs.
numpad0
Presumably the idea is that fabricating a legal offense to shut down a ccTLD would be easier than it would be for regular TLDs.
I don't know if that's actually the case, I've heard some shady sites are using .su(Soviet Union) to avoid judicial actions.
lucb1e
Wait, we're talking about buying domain names right? Not about buying countries in order to own a ccTLD rather than a 'regular' TLD
So then you don't have to produce an offence that takes the TLD down (whichever kind) but one that makes a judge within the country that the TLD operator operates in approve a takedown notice for your domain name or even get the TLD operator to cooperate voluntarily
bongodongobob
It's the specific country being referenced, I think.
swores
They wrote that they were talking about country code TLDs vs not, not about US vs. other countries. (Which is what I would've said too, it's a more general point than thinking about anything specific to one country.)
Ironically that one country happens to be the one that also controls gTLDs like .com, as others have pointed out, so arguably .us is the one ccTLD that isn't any more or less likely to be reliable.
omcnoe
Zoom are already at the mercy of the government by virtue of being incorporated in the US, and having the majority of their staff there. "Generic" TLD's like .com come under US purview also anyway.
deepsun
.us is more special, e.g. the owner should be a US entity, and must be public (Private Domain functionality is disabled for .us).
jsheard
> it's the same reason why I don't use .io
Dodged a bullet there given that .io is at risk of being discontinued altogether. It hasn't been decided yet, but better to not have that dangling over your head.
xp84
You can bet it wouldn't be actually discontinued, but you can bet when/if the UK gives away the island to Mauritius or whatever, they'll lease the rights to the highest bidder, and those people will be free to extort everyone with a valuable .io domain.
ryan29
It's going to be interesting to see what they do. One of the core arguments when claiming the domain industry enjoys a competitive market is that switching costs are bearable and that switching TLDs is an option if registries increase prices too much.
So ICANN has a non-trivial choice to make. Either they maintain the position that switching costs are bearable and let .io disappear, or they admit that TLD switching is impossible and save .io, which will make it hard to argue the threat of (registrants) TLD switching keeps the industry competitive.
immibis
Fortunately, ICANN is based in America, where there's no law that markets have to be fair or that you can't lie.
eli
I don't think that's a real risk
jsheard
It wouldn't be the first time a ccTLD has been retired after its country ceased to be, though it would be the most disruptive given how popular it is, hence the uncertainty as to what they'll do this time.
j45
This news to me, thanks for sharing.
SkyeCA
> But why put your brand at the mercy of a government like that?
I tend to trust my government (Canada) and I appreciate that WHOIS information is hidden by default for .ca domains. I live here and always will so it seems fit to use the national TLD for representing myself and my work.
varun_ch
same here with .ch! I trust Switzerland’s stability way more than I’d trust any business or country. I’m not actually sure if there’s any ccTLD more trustworthy. (yes I know that the TLD is ‘managed’ by a private company but still)
tephra
IIRC CIRA who is the delegated ccTLD manager of .ca is not a government entity (this is quite common in the ccTLD space actually, a lot of ccTLD are being managed by foundations or non-profits).
wlonkly
They're not, they're a (refreshingly transparent) non-profit -- but the government has the ability to reassign management of .ca to another organization as they wish.
VWWHFSfQ
> But why put your brand at the mercy of a government like that?
Literally every single TLD is administered by a government.
.com itself is under jurisdiction of USA and operated by Verisign
ryan29
> .com itself is under jurisdiction of USA and operated by Verisign
Barely. The NTIA gave up all their leverage over .com in 2018. The only thing the US can do at this point is let the cooperative agreement auto-renew to limit price increases.
I wouldn't be surprised if the US withdrew from the agreement altogether at this point. Then .com would fall under the joint control of ICANN and Verisign.
AStonesThrow
> Literally every single TLD is administered by a government.
False. I’m not sure what you’re trying to assert, but governments don’t necessarily need to control/admin gTLDs, and as far as ccTLDs go, they’re under jurisdiction of the corresponding nation, usually, but they’re going to be “administered” by a tech company that holds a contract.
Anyway, “.com” does indeed answer to U.S. jurisdiction, despite being technically a gTLD, but registrations are not restricted to US-based entities. The main things that keep “.com” associated with the USA include the history/legacy of this quintessential “original” domain, as well as a general support from major countries that provide a “second-level” commercial domain, such as “.co.uk”.
nottorp
> “.com” does indeed answer to U.S. jurisdiction
... which is a problem lately ... and may have been even in the past for some niches ...
brongondwana
This kind of possibility is why Fastmail purchased fastmail.com and migrated away from our old 'fastmail.fm' domain. .fm was cool, but we ran into a couple of outages on the .fm servers meaning we went offline. No such issues since we've been on .com.
LeoPanthera
Amazing how many service outages are caused by doing business with GoDaddy.
toast0
Sure, but probably when zoom got the zoom.us domain, Neustar was running the .us registry. Godaddy acquired Neustar's registry business in 2020 when everyone was busy looking at other things.
lucb1e
Also after dividing the number of outages by the number of customers?
I'm not a customer (wouldn't buy my domain overseas) and have no solid opinion on GoDaddy besides that I hate the name. I hear the horror stories also. I'm just wondering if this is a knee-jerk reaction
hypercube33
I've used about 12 registrar's and dns providers and they are trash top to bottom - literally the worst and most difficult to do everything from basic setup to how they do things just plain weird compared to other hosting providers. They also aren't the cheapest option so other than brand recognition I don't get why people use them.
kstrauser
Let’s not get carried away.
Network Solutions still exists.
skylerwiernik
I bought my first domain from GoDaddy in high school. I remember them having the slowest dns portal in the world, and having to call support at least once about something they screwed up. Don't really remember the details, but I remember them causing problems and losing my business within a year. I've used at least 3 other registers since then and never had a single problem.
hinkley
Here's something you all need to learn about site (or for that matter, tool) reliability:
Nobody gives a shit about how many good outcomes between incidents there are. They care about how many good hours happen between incidents, and they care how big the incidents are.
So if you make a tool that your coworkers use 5 times as much as the old process, that tool better make things at least 6x more stable or people will start talking about how the process fails 'all the time'.
"all the time", as near as I've been able to figure out, after people have been yelling at me, my team, or a team I'm privy to, is not "every day". No, all the time just means that it happens every couple of weeks and one time happened twice in one day, twice in consecutive days, or with two customers in rapid succession. Usually the day they're screaming about.
So if you're doing that thing every day all day long, where you used to do it rarely, but you made some progress on making it more frequent, nobody cares that it's every 100th run that fails, when it used to be every 10th. They just see the drama has gotten more frequent (and nowhere near as frequent as their narrative says, but you've already lost that argument)
null
null
jetsnoc
They need to implement secondary and tertiary domains—with diverse registrars and hosting infrastructure—for the Zoom client’s calling home. Maybe even a fallback anycast ip address for service discovery. Given how much companies like mine pay for service, it’s reasonable to expect that level of engineering foresight. But hindsight will do—let’s get it fixed. #HugOps to all employees working overtime and taking care of this.
macintux
It certainly was frustrating that the status host was also in the zoom.us domain.
film42
Zoom CEO: Hi, we'd like an SLA credit for the global outage you caused our company.
GoDaddy: I am so sorry about that. I can offer you a one-time coupon for $10 off your next purchase or renewal. Would you like me to apply this to your account?
---
Most companies just hope an apologetic zoom call is enough to retain your business, and most of the time it works. Not enough has been written about the asymmetry of your SLA credits to your revenue impact for a given vendor outage and how that should guide your build vs buy decision framework.
mikeocool
You probably don’t want to optimize for the SLA credit making up for a significant part of your lost revenue — because that would mean when things are operating normally, you don’t have much of a profit margin.
SLA’s are generally more helpful for getting out of long term contracts with unreliable vendors than actually making up for revenue lost during an outage.
kevincox
SLA credits are an incentive for the service provider not making up for lost revenue from the outage.
If you have 100% SLA credit under 99% availability you can't aford to be less than 99% available and I know that your SLA means something to you, not just an aspirational bullet point.
Geezus_42
Why would you use godaddy for a service as large as Zoom? They have been garbage for years. The way they locked out their ACME api for anyone but top tear clients sealed the deal for me. I would never trust them.
signal11
From the linked article
> This block was the result of a communication error between Zoom’s domain registrar, Markmonitor, and GoDaddy Registry, which resulted in GoDaddy Registry mistakenly shutting down zoom.us domain.
Markmonitor is used by some fairly large corps and web properties. It’ll be interesting to find out exactly what this miscommunication was.
null
0x0000000
They don't use Godaddy directly. Godaddy is the registry for .us. Zoom's registrar is MarkMonitor, who appear to be at fault for this outage.
subscribed
No, Mark Monitor have requested the correct change (EPP status code `ServerUpdateProhibited), GoDaddy messed it up.
(I'm not affiliated with either, but happen to know the technical details of the outage)
sgarland
Never heard of MarkMonitor before. Not a great start.
I had Google Domains for years, until they abruptly and bizarrely abandoned it, then I left for Porkbun. Never had a problem with either of them. I get yearly auto-renewal notices. Everything works, and it’s very boring, which is precisely what I want from a registrar.
Geezus_42
I just remembered, they also can't do DKIM correctly. What good is a DNS provider that can't follow standards?
technion
Companies as big as zoom are still perfectly capable of having a high level VIP decide "we're going to use GoDaddy because I saw their Superbowl ad".
pavelstoev
Can’t have an apologetic zoom call when zoom is down …
crazygringo
If there were symmetry, then renewing the domain would cost millions instead of $20 or whatever it is, to cover the payouts. Is that what you want?
If it is, you can buy custom insurance for the event from an insurance company, and pay the same kind of yearly fee.
And remember that with build vs buy, what you build will often be worse than what you buy, because at least what you buy is getting bugs fixed from bug reports across the world from other customers. An internal tool will rarely be as stress-tested and battle-hardened as what you can buy.
chazeon
I remember crowdstrike outage offers starbucks coupons? that’s way to go.
null
stackskipton
This smells like something happened with MarkMonitor, they accidently flagged zoom.us as brand spoofing and filed copyright complaint with GoDaddy who runs .us TLD. GoDaddy suspended the domain per the complaint.
lolinder
It's possible, but MarkMonitor is Zoom's registrar, so there are plenty of other ways for a miscommunication between MarkMonitor and GoDaddy to cause this. Copyright complaints would be a more reasonable theory if MarkMonitor were mentioned and didn't have any other involvement.
stackskipton
I guess but if MarkMonitor accidently suspended it, it would be ClientHold but it was widely reported it was showing as ServerHold.
ServerHold is used with Registry (GoDaddy in this case) is disabling vs ClientHold is when registrar is pulling the plug (MarkMonitor)
So what would have MarkMonitor said to GoDaddy to cause them to ServerHold a domain?
altairprime
At one point on a trip to Hawaii I was detained in my room by hotel security for fifteen minutes after requesting a room key to replace the one I lost.
It turns out that they had typo’d 12 into the request type field instead of 1, and type 12 was “Covid lockdown protocol with security enforcement” leftover from 2020 and latent in their systems.
Depending on MarkMonitor have chosen to integrate with each other to handle the sort of trademark management that is MarkMonitor’s premium offering, either or both parties could have simply been off-by-one or typo’d in a transaction to cause this. It’s absolutely plausible to create a confusing nightmare outcome with a one-byte error. (And we’re having quite incredible cosmic rays today, so I hope they’re using ECC RAM!)
thayne
Possibly MarkMoniter failed to renew the domain on time? Or there was a miscommunication around payment that led to the domain expiring?
layman51
I don’t know if I’m misremembering, but I remember getting automated service emails about how Zoom.us will be a deprecated domain in favor of Zoom.com
When this outage happened, I assumed that they finally “made the switch” over but something went wrong.
Something I heard is that there was a Twitter account @zoom_us that was also deleted today.
Alupis
If this is the case, then it seems to be a very clear-cut example as-to why we should reject these sort of automated "take downs". They can and are abused, including copyright violations on Github, YouTube, etc.
Since when did we accept, as a society, guilty until proven innocent? I recognize GoDaddy is not the government - but this is unacceptable. A human spending 3 seconds looking at the domain would understand it's a false-positive and should not be removed.
selcuka
> Since when did we accept, as a society, guilty until proven innocent?
At least since the Digital Millennium Copyright Act.
kemals
ThousandEyes analysis of the outage: https://www.thousandeyes.com/blog/zoom-outage-analysis-april...
gwbas1c
The article lists a lot of facts, but it doesn't actually explain what happened.
IE, it explains what DNS is, but it doesn't explain why the outage happened. Instead, it merely gives a timeline with a lot of context that's useful for someone who's still learning about what DNS is and how it works.
be_erik
I was really hoping to find out they were hosting their DNS on GoDaddy. I still want it to be true.
johncolanduoni
If only it were so, then they would have kind of deserved it. TIL GoDaddy wormed it’s way into administering the .us TLD on behalf of the federal government.
jsheard
That makes two reasons to avoid .us domains, the other being that you're not allowed to redact the WHOIS information on those.
neodymiumphish
This shafted me hard when I registered the domain I used to research and write a company blog post (https://www.guidepointsecurity.com/blog/tunnel-vision-cloudf...).
I’ll never deal with a .us domain again, even if it means missing out on a good text string.
riffic
wormed it is
oefrha
[flagged]
johnklos
GoDaddy is the registrar. They (Zoom) host their DNS using Amazon.
That seriously devalues MarkMonitor's services. MarkMonitor claims to be a "an ICANN-accredited registrar and recognized industry leader since 1999". The whole point of paying for MarkMonitor is that they're an expensive service for valuable domains and are not allowed to screw up. GoDaddy should not be involved here at all.