In 2023 operations for the .GOV TLD transitioned from Verisign to Cloudflare
indico.dns-oarc.netThere's a very interesting document by Cloudflare linked to it that describes why this was not your typical "change nameserver and done" transition:
https://indico.dns-oarc.net/event/48/contributions/1038/atta...
yet another example of DNSSEC "adding value"
By making it hard just to hijack a crucial TLD and transfer it over to an potential adversary without the cooperation of multiple trusted parties? It seems to me this is DNSSEC working as designed, and being remarkably flexible in doing so. Sometimes things _should_ be difficult to do.
Yeah I hate that people can't acknowledge that friction is sometimes intentional.
Not everything -should- be easy.
For example I designed a system at a previous company that used Shamir's Secret Sharing to protect a very very important root key. We used an intermediate of this key for most operations but it came time to rotate it and folks were surprised by the ceremony involved in doing so.
i.e the root key was decrypted using X of N members of the SSS group, a new intermediate generated and the special NUC that was designed for this purpose returned to it's safe (which was also using a Yubikey as like a mini-HSM too).
Those keys protected very important PII and I deemed this the minimum necessary friction, ideally I would have went further if that was tenable.
Some things really should be hard and that hardness should be proportional to how horrible the implications of someone unauthorized doing that thing.
> Not everything -should- be easy.
the entirety of .nz probably wouldn't agree with you when they had a 2 day outage due to a slight DNSSEC misconfiguration
???
at best that means there's more need for practice, testing, better processes, and so on. it does not mean everything should be easy. (especially changes to a critical name authority.)
there's an argument that maybe .nz needs to spend more on this, delegate this, or accept a decreased security assurance, but that's definitely not true in general.
if you read the post-mortem they did everything by the book
they made a small mistake, and .nz was down for 2 days as a result
of course the 95% of people that have competent ISPs that don't verify DNSSEC records were completely unaffected
there's a reason ALL major tech companies refuse to deploy it for their zones
> they made a small mistake
> and .nz was down for 2 days as a result
so it was not a small mistake
yes, the same thing happens when people start using technology that actually verifies what it reads/writes. ie. btrfs, ZFS, ECC, etc. and turns out disks fail, bits rots, etc. it was just unnoticed.
Most, not all. Salesforce is a notable counterexample.
In how many instances over the last 10 years has a country code TLD for a country of New Zealand's size or greater been stolen? It doesn't make sense to talk about benefits without costs, and vice versa. Error-prone and dangerous security demands urgent problems. Is TLD hijack one of them? It is not.
I didn't even know .gov changed operators until this news, but looks like there was an earlier news that said it would happen:
https://news.ycombinator.com/item?id=34403055 - Verisign Loses Prestige .Gov Contract to Cloudflare (2023-01-16)
Looks like it was for ~$7.2mm - https://sam.gov/opp/84b13553be9643f6bd143480a4567352/view
Is Cloudflare becoming increasingly powerful?
Verisign already controls huge portions of the internet (as a registry and certificate authority) and Cloudflafe controls much of the rest. Giving up .gov does very little to move the needle.
Verisign sold its CA back in 2010.
this holds true for a quantitative comparison. thou, i suspect that domain to be unusually influential
Not more than AWS, GCP, or Azure.
Not that I stay up at night worrying about Cloudflare, but Cloudflare is literally the Man In The Middle between the user and the instances running at AWS, GCP, or Azure.
Unlike AWS, GCP or Azure themselves? You think the people who own the computers you use can't see whats happening on them?
Isn't that the whole value proposition of Cloudflare?
Nearly all traffic (in terms of volume) gets swallowed by CloudFlare and never approaches most instances: DDoS attacks swallowed whole, WAF rules block illegitimate traffic (which is, in most cases, the vast majority of traffic to dynamic endpoints or, frequently, non-existent endpoints, if you've ever tailed webserver logs), and Cloudflare-caching handles most of the remainder for static and cacheable files -- leaving those servers with a mostly-sanitized and far lower volume of traffic. If you're using edge workers, even less traffic hits your servers.
But, yes, out of the remaining traffic that enters AWS/GCP/Azure's network, they certainly can see what's happening on those machines if they care to look.
Yeah, that is one of the main value props of Cloudflare. They just slap you with scale. Entire classes of problems like DDOS just become non issues when you front with them. Most people when talking about Cloudflare have few complaints about the actual services they offer. It’s way more often about how they are so good and widespread that you don’t have many other choices and how dangerous that is in the long term.
feels like they subjugated half the web, yea
Verisign is evil, good for cloudflare.
It is shocking how few people understand how DNS works
Ok, but please don't post empty putdowns.
Given this isn’t only DNS, agreed.
This changes:
- Registry,
- Name Server and
- DNSEC
More details here:
https://indico.dns-oarc.net/event/48/contributions/1038/atta...
Those are all part of the DNS.
It never fails to amuse. Our world is full of really complex tech which people are eager to learn, yet those same people will seem to be allergic to DNS despite it being very simple (at least the main parts of it).
Look at the amount of coders who can struggle with simple system settings.
Some people only learn what they want to or need to learn, the bare minimum.
I wasn't sure what you were referring to until reading the other top-level comments. Wow. And that's on a site with a technical audience!
In people’s defense DNS is complicated. Try building a product that uses it and realize there are a ton of edge cases to handle
They don’t need to know the edge cases to understand the basics of how DNS works. It is a foundational element of how the internet works and any software dev should have at least some fundamental knowledge of it (unless they don’t do anything that ever touched networking which I imagine is rather rare).
While there are certainly complex and weird stuff in the DNS world. The basic of how the DNS works is really not that complicated.
Yeah, but it's not like those comments are making a mistake about how the tech works because they're looking to learn something today. Posting an axe-grinding comment that shows a clear misunderstanding of the technology on a technical forum is an unforced and pretty indefensible error.
Paul Vixie quote and link to explanations: "DNS is a distributed, coherent, reliable, autonomous, hierarchical database, the first and only one of its kind."
As someone that was dealing with my domain being squatted on, I can say I know more about DNS today than I did yesterday.
This being the top comment means there are enough people here smug because they know how DNS works. People who need to know generally know. Nobody can know everything and most people don't need to know how it works.
It is shocking how few people understand how business works. If you think Cloudflare wants to be in the registrar business, not push their Anti DDoS stuff on a captive audience, I have a bridge to sell you.
> registrar business
They're the registry, not the registrar. CISA is the registrar for .gov domains, Cloudflare just handles the backend. (DNS and whois infrastructure)
Government employees likely never see anything about Cloudflare at all when they manage the DNS settings for domains, just like I never see anything about Charleston Road Registry (Google subsidiary) when I manage a .dev domain on Name.com.
> push their Anti DDoS stuff on a captive audience
How is this a captive audience? Are you implying Cloudflare won't allow .gov domains to use non-cloudflare nameservers?
> push their Anti DDoS stuff on a captive audience
This is a very provocative way to spin “selling the CDN services customers are buying”. What reason do we have to think anyone is an unwilling party to that transaction?
How dare they sell their reliable and popular products at rates untouched by akamai and fastly.
I can only imagine conspiracy theories flying around about government partnership with Cloudflare.
There doesn’t need to be any conspiracy theories when governments will often use their leveraged positions to get something from companies and punish them severely if they don't comply.
If I remember correctly, there was a certain LEA which approached an US ISP for an informal surveillance request, they refused, and the LEA retaliated by cancelling their contract. I’m failing to find it, so I’d be happy if someone can provide a source.
That sounds vaguely like Qwest.
https://en.wikipedia.org/wiki/Qwest#Refusal_of_NSA_surveilla...
Yes, that's the one. Thanks!
Verisign IS the conspiracy.
Does this mean every GOV page will now have the "pretend security check" interstitial that litter just about every page now? How do you even describe it, it's like they are vandalising the internet.
What are you on? Site owners choose to enable those rooms.
You're getting downvoted, but I guess none of the downvoters tried to apply recently on https://esta.cbp.dhs.gov/esta/, I'm getting the infinite turnstile cloudflare hcaptchas. It's probably happening to most people trying to use that website from 3rd world countries.
He’s getting downvoted for confusing two unrelated services. What you’re both talking about is what happens when someone uses Cloudflare’s CDN, enables their managed CAPTCHA feature, and directs their web traffic through it. This is about DNS, which is a separate service at a lower level.
Agencies would have to contract with Cloudflare separately to use the CDN, and each contract is a separate competition where a different part of the government using Cloudflare for a different service would not be considered when reviewing bids.