How to read domain registration data: fields and codes explained

What every WHOIS and RDAP field means: registrant vs registrar vs registry, EPP status codes, expiry dates, nameservers. A practical reference.

A WHOIS or RDAP record contains a lot of fields, and several of them are not self-explanatory. The EPP status codes in particular trip people up, seeing clientTransferProhibited on a domain you own can feel alarming when it is actually the correct, healthy state. This article covers the fields that matter most, starting with the three-letter confusion that affects almost everyone who reads registration data for the first time.

The three Rs: registrant, registrar, and registry

These three terms appear in every registration record and are frequently confused:

Term	Role	Real-world example
Registry	The authority managing a TLD	Verisign (`.com`), AFNIC (`.fr`), PIR (`.org`)
Registrar	The accredited company selling domain registrations	GoDaddy, Namecheap, Cloudflare Registrar
Registrant	The person or organization that owns the domain	Your company or personal name

The easiest analogy: the registry is the national land registry, the registrar is the notary or real estate agent, and the registrant is the property owner. You deal with the registrar when you buy, renew, or transfer a domain. The registry records the official state of who owns what under a given TLD.

In a WHOIS record, you will see all three:

Registry Domain ID, the registry's internal identifier for the domain
Registrar, the company through which it is registered
Registrant Name / Organization, the owner's details (often redacted)

Key dates: creation, updated, and expiry

Every registration record includes three dates. They sound similar but mean different things:

Creation date, the first date the domain was registered. Not necessarily the date the current owner acquired it; domains change hands without the creation date resetting.
Updated date (the last time the registration record was modified. A recent updated date does not mean recent ownership) a nameserver change or renewal also triggers an update. This date is often misleading.
Expiry date (also called Registry Expiry Date), the date the domain registration lapses if not renewed. This is the one that matters most for monitoring.

In an RDAP response, dates appear in the events array:

"events": [
  {
    "eventAction": "registration",
    "eventDate": "2007-10-09T18:20:50Z"
  },
  {
    "eventAction": "last changed",
    "eventDate": "2022-09-07T09:10:44Z"
  },
  {
    "eventAction": "expiration",   ← this is the one to watch
    "eventDate": "2024-10-09T18:20:50Z"
  }
]

Grace period, redemption period, and pending delete

After the expiry date passes, the domain does not disappear immediately. Most registries follow a structured timeline:

Grace period (0 to 45 days, varies by registrar): the domain has expired but the owner can still renew at the normal price. The domain may stop resolving, or the registrar may show a holding page.
Redemption period (approximately 30 days): renewal is still possible, but the registrar charges a significant redemption fee, typically $50 to $150 on top of the renewal price. The EPP status changes to redemptionPeriod.
Pending delete (approximately 5 days): the domain is queued for deletion. Renewal is no longer possible. Status: pendingDelete.
Available: the domain is released and can be registered by anyone. Domain drop-catchers compete for it at this exact moment.

EPP status codes explained

EPP (Extensible Provisioning Protocol) status codes describe the current operational state of a domain. They appear as the status field in RDAP or Domain Status in WHOIS text. Understanding them is worth the five minutes it takes:

EPP code	Plain meaning	What it implies
`ok` / `active`	Normal, no restrictions	Standard healthy state
`clientTransferProhibited`	Transfer locked by registrar	Owner or registrar has locked outbound transfers, normal and recommended
`clientUpdateProhibited`	Record changes blocked	Modifications to the registration record are locked
`clientDeleteProhibited`	Deletion blocked	Domain cannot be deleted, often set alongside transfer and update locks
`serverTransferProhibited`	Transfer locked by registry	Registry-level lock, can indicate a legal dispute or a hold
`serverHold`	Suspended by registry	Domain does not resolve in DNS, a serious signal requiring investigation
`clientHold`	Suspended by registrar	Similar to serverHold but at registrar level
`pendingTransfer`	Transfer to another registrar in progress	Normal 5-7 day window during a registrar transfer
`pendingDelete`	Queued for deletion	Domain will be released within ~5 days
`redemptionPeriod`	Late grace period, high redemption fees apply	Domain expired, in the expensive recovery window

A domain in healthy active use typically shows clientTransferProhibited, clientUpdateProhibited, and clientDeleteProhibited all at once. This combination is not a problem, it is the registrar's default protection against unauthorized changes. The absence of these locks on an important domain is actually a concern.

serverHold is the status code that should trigger immediate action. A domain on serverHold does not resolve in DNS, it is invisible on the web. This can happen due to payment issues, abuse reports, or legal proceedings initiated through the registry.

Name servers: what they tell you

Nameservers are more informative than they appear:

Nameserver pattern	Likely provider
`ns1.cloudflare.com`, `ns2.cloudflare.com`	Cloudflare DNS
`ns-xxx.awsdns-xx.com`	Amazon Route 53
`ns1.digitalocean.com`	DigitalOcean
`dns1.p08.nsone.net`	NS1 (often used by large tech companies)
`ns1.hover.com`	Hover registrar

A nameserver change on a domain you are monitoring is one of the most significant events to watch for. It almost always indicates a change in the hosting provider, DNS infrastructure, or (in the case of a compromised domain) an unauthorized hijack.

Reading an RDAP response: a complete example

Here is a real RDAP response for github.com, annotated:

{
  "ldhName": "github.com",           ← normalized domain name
  "handle": "1264983250_DOMAIN_COM-VRSN",  ← registry internal ID
  "status": [                        ← EPP status codes
    "client transfer prohibited",
    "client update prohibited",
    "client delete prohibited"
  ],
  "events": [                        ← all dates are here
    { "eventAction": "registration", "eventDate": "2007-10-09T18:20:50Z" },
    { "eventAction": "expiration",   "eventDate": "2024-10-09T18:20:50Z" },
    { "eventAction": "last changed", "eventDate": "2022-09-07T09:10:44Z" }
  ],
  "nameservers": [                   ← DNS delegation
    { "ldhName": "dns1.p08.nsone.net" },
    { "ldhName": "dns2.p08.nsone.net" }
  ],
  "entities": [                      ← registrar and registrant
    {
      "roles": ["registrar"],
      "vcardArray": ["vcard", [
        ["fn", {}, "text", "MarkMonitor Inc."]
      ]]
    }
  ],
  "secureDNS": {                     ← DNSSEC configuration
    "delegationSigned": true
  }
}

WHOIS vs RDAP field mapping

For readers who encounter raw WHOIS text output and need to map it to RDAP concepts:

WHOIS field	RDAP equivalent
`Registrar:`	`entities[].roles["registrar"].vcardArray`
`Creation Date:`	`events[?(@.eventAction=="registration")].eventDate`
`Registry Expiry Date:`	`events[?(@.eventAction=="expiration")].eventDate`
`Updated Date:`	`events[?(@.eventAction=="last changed")].eventDate`
`Name Server:`	`nameservers[].ldhName`
`Domain Status:`	`status[]`
`DNSSEC:`	`secureDNS.delegationSigned`

A complete registration record delivers a lot of information in a compact format. The three dates and the EPP status codes are the most important indicators of domain health. Domain Sentinel displays all of this in a structured, readable layout and sends alerts when statuses or dates change, run a lookup on any domain to see it in action.