In 2023 operations for the .GOV TLD transitioned from Verisign to Cloudflare

NicoJuicy 2 years ago |

There's a very interesting document by Cloudflare linked to it that describes why this was not your typical "change nameserver and done" transition:

https://indico.dns-oarc.net/event/48/contributions/1038/atta...

blibble 2 years ago | |

yet another example of DNSSEC "adding value"

lambdaone 2 years ago | | |

By making it hard just to hijack a crucial TLD and transfer it over to an potential adversary without the cooperation of multiple trusted parties? It seems to me this is DNSSEC working as designed, and being remarkably flexible in doing so. Sometimes things _should_ be difficult to do.

jpgvm 2 years ago | | |

Yeah I hate that people can't acknowledge that friction is sometimes intentional.

Not everything -should- be easy.

For example I designed a system at a previous company that used Shamir's Secret Sharing to protect a very very important root key. We used an intermediate of this key for most operations but it came time to rotate it and folks were surprised by the ceremony involved in doing so.

i.e the root key was decrypted using X of N members of the SSS group, a new intermediate generated and the special NUC that was designed for this purpose returned to it's safe (which was also using a Yubikey as like a mini-HSM too).

Those keys protected very important PII and I deemed this the minimum necessary friction, ideally I would have went further if that was tenable.

Some things really should be hard and that hardness should be proportional to how horrible the implications of someone unauthorized doing that thing.

blibble 2 years ago | | |

> Not everything -should- be easy.

the entirety of .nz probably wouldn't agree with you when they had a 2 day outage due to a slight DNSSEC misconfiguration

pas 2 years ago | | |

???

at best that means there's more need for practice, testing, better processes, and so on. it does not mean everything should be easy. (especially changes to a critical name authority.)

there's an argument that maybe .nz needs to spend more on this, delegate this, or accept a decreased security assurance, but that's definitely not true in general.

tptacek 2 years ago | | |

In how many instances over the last 10 years has a country code TLD for a country of New Zealand's size or greater been stolen? It doesn't make sense to talk about benefits without costs, and vice versa. Error-prone and dangerous security demands urgent problems. Is TLD hijack one of them? It is not.

omoikane 2 years ago |

I didn't even know .gov changed operators until this news, but looks like there was an earlier news that said it would happen:

https://news.ycombinator.com/item?id=34403055 - Verisign Loses Prestige .Gov Contract to Cloudflare (2023-01-16)

jcsnv 2 years ago |

Looks like it was for ~$7.2mm - https://sam.gov/opp/84b13553be9643f6bd143480a4567352/view

deadbabe 2 years ago |

Is Cloudflare becoming increasingly powerful?

rafram 2 years ago | |

Verisign already controls huge portions of the internet (as a registry and certificate authority) and Cloudflafe controls much of the rest. Giving up .gov does very little to move the needle.

gbxyz 2 years ago | | |

Verisign sold its CA back in 2010.

geraldhh 2 years ago | | |

this holds true for a quantitative comparison. thou, i suspect that domain to be unusually influential

nkcmr 2 years ago | |

Not more than AWS, GCP, or Azure.

gunapologist99 2 years ago | | |

Not that I stay up at night worrying about Cloudflare, but Cloudflare is literally the Man In The Middle between the user and the instances running at AWS, GCP, or Azure.

sophacles 2 years ago | | |

Unlike AWS, GCP or Azure themselves? You think the people who own the computers you use can't see whats happening on them?

gunapologist99 2 years ago | | |

Isn't that the whole value proposition of Cloudflare?

Nearly all traffic (in terms of volume) gets swallowed by CloudFlare and never approaches most instances: DDoS attacks swallowed whole, WAF rules block illegitimate traffic (which is, in most cases, the vast majority of traffic to dynamic endpoints or, frequently, non-existent endpoints, if you've ever tailed webserver logs), and Cloudflare-caching handles most of the remainder for static and cacheable files -- leaving those servers with a mostly-sanitized and far lower volume of traffic. If you're using edge workers, even less traffic hits your servers.

But, yes, out of the remaining traffic that enters AWS/GCP/Azure's network, they certainly can see what's happening on those machines if they care to look.

SOLAR_FIELDS 2 years ago | | |

Yeah, that is one of the main value props of Cloudflare. They just slap you with scale. Entire classes of problems like DDOS just become non issues when you front with them. Most people when talking about Cloudflare have few complaints about the actual services they offer. It’s way more often about how they are so good and widespread that you don’t have many other choices and how dangerous that is in the long term.

geraldhh 2 years ago | |

feels like they subjugated half the web, yea

cheekibreeki2 2 years ago |

Verisign is evil, good for cloudflare.

overstay8930 2 years ago |

It is shocking how few people understand how DNS works

tiffanyh 2 years ago |

I can only imagine conspiracy theories flying around about government partnership with Cloudflare.

supriyo-biswas 2 years ago | |

There doesn’t need to be any conspiracy theories when governments will often use their leveraged positions to get something from companies and punish them severely if they don't comply.

If I remember correctly, there was a certain LEA which approached an US ISP for an informal surveillance request, they refused, and the LEA retaliated by cancelling their contract. I’m failing to find it, so I’d be happy if someone can provide a source.

mook 2 years ago | | |

That sounds vaguely like Qwest.

https://en.wikipedia.org/wiki/Qwest#Refusal_of_NSA_surveilla...

supriyo-biswas 2 years ago | | |

Yes, that's the one. Thanks!

cheekibreeki2 2 years ago | |

Verisign IS the conspiracy.

stefan_ 2 years ago |

Does this mean every GOV page will now have the "pretend security check" interstitial that litter just about every page now? How do you even describe it, it's like they are vandalising the internet.

cheekibreeki2 2 years ago | |

What are you on? Site owners choose to enable those rooms.

randunel 2 years ago | |

You're getting downvoted, but I guess none of the downvoters tried to apply recently on https://esta.cbp.dhs.gov/esta/, I'm getting the infinite turnstile cloudflare hcaptchas. It's probably happening to most people trying to use that website from 3rd world countries.

acdha 2 years ago | | |

He’s getting downvoted for confusing two unrelated services. What you’re both talking about is what happens when someone uses Cloudflare’s CDN, enables their managed CAPTCHA feature, and directs their web traffic through it. This is about DNS, which is a separate service at a lower level.

Agencies would have to contract with Cloudflare separately to use the CDN, and each contract is a separate competition where a different part of the government using Cloudflare for a different service would not be considered when reviewing bids.