A security mechanism that freezes a domain at the registry level, preventing unauthorized transfers, deletions, or modifications until the lock is explicitly removed. Registry lock sits above registrar lock—it's enforced by the actual registry operator (VeriSign for .com, for example), not your registrar, so even if your registrar account gets compromised or a rogue employee acts, the domain stays locked.
When registry lock is active, any EPP commands that would alter the domain (transfer, delete, change nameservers) are rejected outright by the registry. You request lock/unlock through your registrar, but the registry is the final authority. Some registries require explicit authentication (callback, phone verification) to unlock; others do it on request with a small delay.
Registry lock is essential for high-value or sensitive domains. If your domain is your identity (business, journalism, activism), registry lock + strong 2FA on your registrar account + DNSSEC form a reasonable defense against takeover. It won't stop a court order or ICANN UDRP proceeding, but it stops script-kiddies and disgruntled ISP staff.
Note: bunkerdomains supports registry lock on most TLDs. We don't push you toward it, but if you ask, we enable it and don't charge extra.