UDAI & Technical Recovery
A Unique Domain Authentication ID (UDAI) is an 8-character alphanumeric security code required to authorize the transfer of .nz domain names between registrars. It acts as the definitive proof of ownership, allowing liquidators to bypass uncooperative directors, reset technical controls, and secure digital assets during insolvency proceedings without needing prior account credentials.
In the landscape of New Zealand digital asset liquidation, securing control over a company’s online presence is often as critical as securing physical premises. The UDAI code is the linchpin of this process. Without it, a domain remains locked under the control of the previous registrant; with it, a liquidator can take immediate, unilateral control of the asset.
Understanding the Unique Domain Authentication ID (UDAI)
For insolvency practitioners and digital asset brokers in New Zealand, the UDAI is more than just a password; it is the master key to the digital estate. Unlike standard login credentials which facilitate access to a registrar’s billing portal, the UDAI interacts directly with the .nz registry backend.
The Technical Composition of a UDAI
A UDAI is generated by the registry when a domain is first registered or upon request by the registrant. It is valid for a specific period (often 30 days once regenerated) and is case-sensitive. Crucially, the UDAI is tied to the domain name itself, not the user account managing it. This distinction is vital for liquidators: you do not need the director’s username and password for their GoDaddy, Crazy Domains, or Freeparking account to seize the domain. You simply need the UDAI.
Why the UDAI is Critical for Asset Preservation
In a liquidation scenario, speed is of the essence. A disgruntled director may attempt to sabotage the company’s value by redirecting the website, deleting email records, or holding the domain ransom. Possession of the UDAI allows a liquidator to initiate a “Registrar Transfer.” This process moves the domain management to a new, secure registrar account controlled solely by the liquidator, effectively locking out the previous management team instantly.
Process for Liquidators to Recover Access Without Cooperation
Recovering a domain when the previous owner is hostile or non-responsive requires a systematic approach. The standard “Forgot Password” flows are useless if the recovery email is hosted on the very domain you are trying to seize, or if it routes to the director’s personal Gmail.
Step 1: Identify the Registrar of Record
Before you can request a UDAI, you must identify where the domain is currently managed. This is done via a WHOIS lookup on the Domain Name Commission (DNC) website. This public record will list the Registrar (e.g., Metaname, Discount Domains) and the Registrant Contact Name.
Step 2: The Formal UDAI Request
If you cannot access the current management portal, you must formally request the UDAI from the current registrar. This is a manual process involving the compliance or legal team of the registrar. You cannot automate this step.
Step 3: Executing the Transfer
Once the UDAI is acquired, do not log into the old account. Instead, open a new account with a different registrar. Initiate a “Transfer In” request using the domain name and the UDAI. This action pulls the domain away from the compromised or hostile environment into your secure control. This is the “Technical Takeover.”
Navigating Registrar Protocols and 2FA Barriers
Registrars are bound by strict privacy and security protocols. They are the gatekeepers, and they are naturally risk-averse. When a liquidator contacts them claiming authority, their default stance is often skepticism to prevent social engineering attacks.
Overcoming Two-Factor Authentication (2FA)
A common hurdle is Two-Factor Authentication (2FA) on the existing registrar account. If the director has 2FA linked to their personal mobile device, logging in is impossible even with the correct password. This is why the UDAI transfer method is superior. By transferring the domain to a new registrar using the UDAI, you completely bypass the authentication mechanisms of the old account. The 2FA on the old account becomes irrelevant because the asset is no longer housed there.
Dealing with Privacy Redactions
Since the introduction of stricter privacy laws, many WHOIS records redact the registrant’s name. This complicates proving that the company in liquidation is indeed the registrant. In these cases, you may need to provide an indemnity letter to the registrar, assuring them that you are the rightful legal representative of the entity that owns the domain.
Securing DNS Control to Prevent Service Disruption
Possessing the domain is only half the battle; controlling where it points is the other. The Domain Name System (DNS) controls where web traffic flows and where emails are delivered. During a hostile takeover, DNS records must be preserved or updated immediately to prevent data loss.
The Risk of “Zone File” Deletion
When you transfer a domain to a new registrar, the DNS settings (nameservers) often reset to default. This causes the website to go offline and email flow (MX records) to bounce. This destroys value. Before executing a UDAI transfer, a competent digital asset liquidator will:
- Interrogate DNS Records: Use external tools to map out existing A records, CNAMEs, and MX records.
- Pre-configure the Destination: Set up the zone file at the receiving registrar before the transfer completes.
- Control Time-To-Live (TTL): Lower TTL settings to ensure changes propagate instantly.
Email Continuity for Forensic Audits
Liquidators often need access to historical emails for forensic accounting. If the DNS is disrupted, incoming mail bounces. Furthermore, if the email hosting (e.g., Office 365 or Google Workspace) is billed through the previous registrar, the transfer might cancel the subscription. It is vital to decouple the domain layer from the service layer to ensure continuity of evidence.
Legal Authority Requirements for Technical Takeovers
Registrars will not release a UDAI to a third party without irrefutable proof of legal authority. In New Zealand, this process is governed by the Companies Act 1993 and the policies of the Domain Name Commission.
Required Documentation
To successfully compel a registrar to release a UDAI or update registrant details, you must provide a “Digital Asset Recovery Pack” containing:
- Certificate of Appointment: Official documentation from the Companies Office showing your appointment as Liquidator or Receiver.
- Photo ID: A verified copy of the Liquidator’s identification (Passport/Driver’s License).
- Formal Letter of Request: A document on official letterhead citing the specific domain names and requesting the UDAI pursuant to your powers under the Companies Act to realize assets.
- Statutory Declaration: Some registrars may require a witnessed declaration stating that the domain is the property of the company in liquidation.
Section 256 of the Companies Act 1993
Liquidators should reference their powers under the Companies Act. Specifically, the power to take custody and control of all the company’s assets. Digital assets, including domain names and the intellectual property they represent, are considered property. Registrars who refuse to cooperate may be obstructing the liquidator’s duties, though most are cooperative once the correct paperwork is presented.
Handling “Shadow” Registrants
A common issue arises when a director has registered the company domain in their personal name rather than the company entity. This creates a dispute over beneficial ownership. While the WHOIS says “John Doe,” the asset was paid for by “Company Ltd” and used for its business. In these cases, the UDAI release may be stalled. Liquidators must then prove that the domain is held on constructive trust for the company, often requiring legal correspondence threatening action against the director for misappropriation of company property.
Frequently Asked Questions
How long is a UDAI code valid for?
A UDAI code is typically valid for 30 days from the moment it is generated. If it is not used within this window, a new code must be requested from the registrar. It is best practice to use the code immediately upon receipt to prevent security lapses.
Can a director block a UDAI transfer?
If the domain is unlocked, a director cannot block a transfer once the UDAI is known. However, registrars often place a “Registrar Lock” (ClientTransferProhibited) on domains. The liquidator must first prove their authority to the registrar to have this lock removed before the UDAI can be used.
What if the domain registrar is outside of New Zealand?
Even if the registrar is international (e.g., GoDaddy), if the domain is a .nz extension, they must abide by the policies of the NZ Domain Name Commission. However, the process may take longer due to time zone differences and varying compliance teams.
Does a UDAI give access to the website content?
No. A UDAI only transfers control of the domain name itself. It does not provide the password to the web hosting server or the CMS (like WordPress). However, once you control the domain, you can reset the hosting passwords or redirect the domain to a server you control.
Is it illegal to use a UDAI without permission?
Using a UDAI to transfer a domain you do not own or have legal authority over constitutes unauthorized access to a computer system and theft of digital property. Liquidators are protected because they have legal standing to act as the owner.
How do I find out who the current registrar is?
You can perform a WHOIS lookup on the Domain Name Commission (dnc.org.nz) website. This public search will display the Registrar of Record, the registration status, and the date the domain was created.
