In 2023 operations for the .GOV TLD transitioned from Verisign to Cloudflare (opens in new tab)

(indico.dns-oarc.net)

129 pointssurteen2y ago66 comments

66 comments

There's a very interesting document by Cloudflare linked to it that describes why this was not your typical "change nameserver and done" transition:

https://indico.dns-oarc.net/event/48/contributions/1038/atta...

blibble2y ago

yet another example of DNSSEC "adding value"

lambdaone2y ago

By making it hard just to hijack a crucial TLD and transfer it over to an potential adversary without the cooperation of multiple trusted parties? It seems to me this is DNSSEC working as designed, and being remarkably flexible in doing so. Sometimes things _should_ be difficult to do.

jpgvm2y ago

Yeah I hate that people can't acknowledge that friction is sometimes intentional.

Not everything -should- be easy.

For example I designed a system at a previous company that used Shamir's Secret Sharing to protect a very very important root key. We used an intermediate of this key for most operations but it came time to rotate it and folks were surprised by the ceremony involved in doing so.

i.e the root key was decrypted using X of N members of the SSS group, a new intermediate generated and the special NUC that was designed for this purpose returned to it's safe (which was also using a Yubikey as like a mini-HSM too).

Those keys protected very important PII and I deemed this the minimum necessary friction, ideally I would have went further if that was tenable.

Some things really should be hard and that hardness should be proportional to how horrible the implications of someone unauthorized doing that thing.

1 more reply

tptacek2y ago

In how many instances over the last 10 years has a country code TLD for a country of New Zealand's size or greater been stolen? It doesn't make sense to talk about benefits without costs, and vice versa. Error-prone and dangerous security demands urgent problems. Is TLD hijack one of them? It is not.

omoikane2y ago

I didn't even know .gov changed operators until this news, but looks like there was an earlier news that said it would happen:

https://news.ycombinator.com/item?id=34403055 - Verisign Loses Prestige .Gov Contract to Cloudflare (2023-01-16)

jcsnv2y ago

Looks like it was for ~$7.2mm - https://sam.gov/opp/84b13553be9643f6bd143480a4567352/view

deadbabe2y ago

Is Cloudflare becoming increasingly powerful?

rafram2y ago

Verisign already controls huge portions of the internet (as a registry and certificate authority) and Cloudflafe controls much of the rest. Giving up .gov does very little to move the needle.

gbxyz2y ago

Verisign sold its CA back in 2010.

geraldhh2y ago

this holds true for a quantitative comparison. thou, i suspect that domain to be unusually influential

nkcmr2y ago

Not more than AWS, GCP, or Azure.

gunapologist992y ago

Not that I stay up at night worrying about Cloudflare, but Cloudflare is literally the Man In The Middle between the user and the instances running at AWS, GCP, or Azure.

sophacles2y ago

Unlike AWS, GCP or Azure themselves? You think the people who own the computers you use can't see whats happening on them?

1 more reply

geraldhh2y ago

feels like they subjugated half the web, yea

cheekibreeki22y ago

Verisign is evil, good for cloudflare.

overstay89302y ago

It is shocking how few people understand how DNS works

dang2y ago

Ok, but please don't post empty putdowns.

https://news.ycombinator.com/newsguidelines.html

tiffanyh2y ago

Given this isn’t only DNS, agreed.

This changes:

- Registry,

- Name Server and

- DNSEC

More details here:

https://indico.dns-oarc.net/event/48/contributions/1038/atta...

tephra2y ago

Those are all part of the DNS.

dinkleberg2y ago

It never fails to amuse. Our world is full of really complex tech which people are eager to learn, yet those same people will seem to be allergic to DNS despite it being very simple (at least the main parts of it).

PrimeMcFly2y ago

Look at the amount of coders who can struggle with simple system settings.

Some people only learn what they want to or need to learn, the bare minimum.

tazjin2y ago

I wasn't sure what you were referring to until reading the other top-level comments. Wow. And that's on a site with a technical audience!

SOLAR_FIELDS2y ago

In people’s defense DNS is complicated. Try building a product that uses it and realize there are a ton of edge cases to handle

dinkleberg2y ago

They don’t need to know the edge cases to understand the basics of how DNS works. It is a foundational element of how the internet works and any software dev should have at least some fundamental knowledge of it (unless they don’t do anything that ever touched networking which I imagine is rather rare).

tephra2y ago

While there are certainly complex and weird stuff in the DNS world. The basic of how the DNS works is really not that complicated.

striking2y ago

Yeah, but it's not like those comments are making a mistake about how the tech works because they're looking to learn something today. Posting an axe-grinding comment that shows a clear misunderstanding of the technology on a technical forum is an unforced and pretty indefensible error.

FuriouslyAdrift2y ago

Paul Vixie quote and link to explanations: "DNS is a distributed, coherent, reliable, autonomous, hierarchical database, the first and only one of its kind."

https://queue.acm.org/detail.cfm?id=1242499

wand3r2y ago

As someone that was dealing with my domain being squatted on, I can say I know more about DNS today than I did yesterday.

globular-toast2y ago

This being the top comment means there are enough people here smug because they know how DNS works. People who need to know generally know. Nobody can know everything and most people don't need to know how it works.

2 more replies

stefan_2y ago

It is shocking how few people understand how business works. If you think Cloudflare wants to be in the registrar business, not push their Anti DDoS stuff on a captive audience, I have a bridge to sell you.

profmonocle2y ago

> registrar business

They're the registry, not the registrar. CISA is the registrar for .gov domains, Cloudflare just handles the backend. (DNS and whois infrastructure)

Government employees likely never see anything about Cloudflare at all when they manage the DNS settings for domains, just like I never see anything about Charleston Road Registry (Google subsidiary) when I manage a .dev domain on Name.com.

> push their Anti DDoS stuff on a captive audience

How is this a captive audience? Are you implying Cloudflare won't allow .gov domains to use non-cloudflare nameservers?

acdha2y ago

> push their Anti DDoS stuff on a captive audience

This is a very provocative way to spin “selling the CDN services customers are buying”. What reason do we have to think anyone is an unwilling party to that transaction?

cheekibreeki22y ago

How dare they sell their reliable and popular products at rates untouched by akamai and fastly.

tiffanyh2y ago

I can only imagine conspiracy theories flying around about government partnership with Cloudflare.

supriyo-biswas2y ago

There doesn’t need to be any conspiracy theories when governments will often use their leveraged positions to get something from companies and punish them severely if they don't comply.

If I remember correctly, there was a certain LEA which approached an US ISP for an informal surveillance request, they refused, and the LEA retaliated by cancelling their contract. I’m failing to find it, so I’d be happy if someone can provide a source.

mook2y ago

That sounds vaguely like Qwest.

https://en.wikipedia.org/wiki/Qwest#Refusal_of_NSA_surveilla...

supriyo-biswas2y ago

Yes, that's the one. Thanks!

cheekibreeki22y ago

Verisign IS the conspiracy.

stefan_2y ago

Does this mean every GOV page will now have the "pretend security check" interstitial that litter just about every page now? How do you even describe it, it's like they are vandalising the internet.

cheekibreeki22y ago

What are you on? Site owners choose to enable those rooms.

randunel2y ago

You're getting downvoted, but I guess none of the downvoters tried to apply recently on https://esta.cbp.dhs.gov/esta/, I'm getting the infinite turnstile cloudflare hcaptchas. It's probably happening to most people trying to use that website from 3rd world countries.

acdha2y ago

He’s getting downvoted for confusing two unrelated services. What you’re both talking about is what happens when someone uses Cloudflare’s CDN, enables their managed CAPTCHA feature, and directs their web traffic through it. This is about DNS, which is a separate service at a lower level.

Agencies would have to contract with Cloudflare separately to use the CDN, and each contract is a separate competition where a different part of the government using Cloudflare for a different service would not be considered when reviewing bids.

j / k navigate · click thread line to collapse

66 comments

NicoJuicy2y ago

There's a very interesting document by Cloudflare linked to it that describes why this was not your typical "change nameserver and done" transition:

https://indico.dns-oarc.net/event/48/contributions/1038/atta...

blibble2y ago

yet another example of DNSSEC "adding value"

lambdaone2y ago

jpgvm2y ago

Yeah I hate that people can't acknowledge that friction is sometimes intentional.

Not everything -should- be easy.

Those keys protected very important PII and I deemed this the minimum necessary friction, ideally I would have went further if that was tenable.

Some things really should be hard and that hardness should be proportional to how horrible the implications of someone unauthorized doing that thing.

1 more reply

tptacek2y ago

omoikane2y ago

I didn't even know .gov changed operators until this news, but looks like there was an earlier news that said it would happen:

https://news.ycombinator.com/item?id=34403055 - Verisign Loses Prestige .Gov Contract to Cloudflare (2023-01-16)

jcsnv2y ago

Looks like it was for ~$7.2mm - https://sam.gov/opp/84b13553be9643f6bd143480a4567352/view

deadbabe2y ago

Is Cloudflare becoming increasingly powerful?

rafram2y ago

Verisign already controls huge portions of the internet (as a registry and certificate authority) and Cloudflafe controls much of the rest. Giving up .gov does very little to move the needle.

gbxyz2y ago

Verisign sold its CA back in 2010.

geraldhh2y ago

this holds true for a quantitative comparison. thou, i suspect that domain to be unusually influential

nkcmr2y ago

Not more than AWS, GCP, or Azure.

gunapologist992y ago

Not that I stay up at night worrying about Cloudflare, but Cloudflare is literally the Man In The Middle between the user and the instances running at AWS, GCP, or Azure.

sophacles2y ago

Unlike AWS, GCP or Azure themselves? You think the people who own the computers you use can't see whats happening on them?

1 more reply

geraldhh2y ago

feels like they subjugated half the web, yea

cheekibreeki22y ago

Verisign is evil, good for cloudflare.

overstay89302y ago

It is shocking how few people understand how DNS works

dang2y ago

Ok, but please don't post empty putdowns.

https://news.ycombinator.com/newsguidelines.html

tiffanyh2y ago

Given this isn’t only DNS, agreed.

This changes:

- Registry,

- Name Server and

- DNSEC

More details here:

https://indico.dns-oarc.net/event/48/contributions/1038/atta...

tephra2y ago

Those are all part of the DNS.

dinkleberg2y ago

PrimeMcFly2y ago

Look at the amount of coders who can struggle with simple system settings.

Some people only learn what they want to or need to learn, the bare minimum.

tazjin2y ago

I wasn't sure what you were referring to until reading the other top-level comments. Wow. And that's on a site with a technical audience!

SOLAR_FIELDS2y ago

In people’s defense DNS is complicated. Try building a product that uses it and realize there are a ton of edge cases to handle

dinkleberg2y ago

tephra2y ago

While there are certainly complex and weird stuff in the DNS world. The basic of how the DNS works is really not that complicated.

striking2y ago

FuriouslyAdrift2y ago

Paul Vixie quote and link to explanations: "DNS is a distributed, coherent, reliable, autonomous, hierarchical database, the first and only one of its kind."

https://queue.acm.org/detail.cfm?id=1242499

wand3r2y ago

As someone that was dealing with my domain being squatted on, I can say I know more about DNS today than I did yesterday.

globular-toast2y ago

2 more replies

stefan_2y ago

profmonocle2y ago

> registrar business

They're the registry, not the registrar. CISA is the registrar for .gov domains, Cloudflare just handles the backend. (DNS and whois infrastructure)

> push their Anti DDoS stuff on a captive audience

How is this a captive audience? Are you implying Cloudflare won't allow .gov domains to use non-cloudflare nameservers?

acdha2y ago

> push their Anti DDoS stuff on a captive audience

This is a very provocative way to spin “selling the CDN services customers are buying”. What reason do we have to think anyone is an unwilling party to that transaction?

cheekibreeki22y ago

How dare they sell their reliable and popular products at rates untouched by akamai and fastly.

tiffanyh2y ago

I can only imagine conspiracy theories flying around about government partnership with Cloudflare.

supriyo-biswas2y ago

There doesn’t need to be any conspiracy theories when governments will often use their leveraged positions to get something from companies and punish them severely if they don't comply.

mook2y ago

That sounds vaguely like Qwest.

https://en.wikipedia.org/wiki/Qwest#Refusal_of_NSA_surveilla...

supriyo-biswas2y ago

Yes, that's the one. Thanks!

cheekibreeki22y ago

Verisign IS the conspiracy.

stefan_2y ago

Does this mean every GOV page will now have the "pretend security check" interstitial that litter just about every page now? How do you even describe it, it's like they are vandalising the internet.

cheekibreeki22y ago

What are you on? Site owners choose to enable those rooms.

randunel2y ago

acdha2y ago

j / k navigate · click thread line to collapse