[HN Gopher] In 2023 operations for the .GOV TLD transitioned fro...
___________________________________________________________________
In 2023 operations for the .GOV TLD transitioned from Verisign to
Cloudflare
Author : surteen
Score : 120 points
Date : 2024-02-10 13:46 UTC (9 hours ago)
(HTM) web link (indico.dns-oarc.net)
(TXT) w3m dump (indico.dns-oarc.net)
| deadbabe wrote:
| Is Cloudflare becoming increasingly powerful?
| geraldhh wrote:
| feels like they subjugated half the web, yea
| rafram wrote:
| Verisign already controls huge portions of the internet (as a
| registry and certificate authority) and Cloudflafe controls
| much of the rest. Giving up .gov does very little to move the
| needle.
| geraldhh wrote:
| this holds true for a quantitative comparison. thou, i
| suspect that domain to be unusually influential
| gbxyz wrote:
| Verisign sold its CA back in 2010.
| nkcmr wrote:
| Not more than AWS, GCP, or Azure.
| gunapologist99 wrote:
| Not that I stay up at night worrying about Cloudflare, but
| Cloudflare is literally the Man In The Middle between the
| user and the instances running at AWS, GCP, or Azure.
| sophacles wrote:
| Unlike AWS, GCP or Azure themselves? You think the people
| who own the computers you use can't see whats happening on
| them?
| gunapologist99 wrote:
| Isn't that the whole value proposition of Cloudflare?
|
| Nearly all traffic (in terms of volume) gets swallowed by
| CloudFlare and never approaches most instances: DDoS
| attacks swallowed whole, WAF rules block illegitimate
| traffic (which is, in most cases, the vast majority of
| traffic to dynamic endpoints or, frequently, non-existent
| endpoints, if you've ever tailed webserver logs), and
| Cloudflare-caching handles most of the remainder for
| static and cacheable files -- leaving those servers with
| a mostly-sanitized and far lower volume of traffic. If
| you're using edge workers, even less traffic hits your
| servers.
|
| But, yes, out of the remaining traffic that enters
| AWS/GCP/Azure's network, they certainly can see what's
| happening on those machines if they care to look.
| tiffanyh wrote:
| I can only imagine conspiracy theories flying around about
| government partnership with Cloudflare.
| supriyo-biswas wrote:
| There doesn't need to be any conspiracy theories when
| governments will often use their leveraged positions to get
| something from companies and punish them severely if they don't
| comply.
|
| If I remember correctly, there was a certain LEA which
| approached an US ISP for an informal surveillance request, they
| refused, and the LEA retaliated by cancelling their contract.
| I'm failing to find it, so I'd be happy if someone can provide
| a source.
| mook wrote:
| That sounds vaguely like Qwest.
|
| https://en.wikipedia.org/wiki/Qwest#Refusal_of_NSA_surveilla.
| ..
| supriyo-biswas wrote:
| Yes, that's the one. Thanks!
| jmclnx wrote:
| Great, now I will start getting those awful Captchas with .gov
| sites :(
|
| At least in this case, maybe people who are both deaf and blind
| (yes I knew some) will have a place to complain to since there
| are federal laws about disabilities.
| profmonocle wrote:
| They've just taken over authorative DNS. The captchas come from
| their CDN product.
| randunel wrote:
| You can't use https://esta.cbp.dhs.gov/esta/ from my country
| without an infinity of hcaptchas by CF turnstile.
| profmonocle wrote:
| A particular .gov domain using Cloudflare (although from my
| DNS lookups, that one is not) is unrelated to Cloudflare
| managing the authoritative DNS servers for the .gov TLD.
| The fact that only a specific .gov domain - not all of them
| - has this issue demonstrates that.
| miyuru wrote:
| Are you sure about that?
|
| esta.cbp.dhs.gov seems to served by akamai at least for me.
|
| Also turnstile and hcaptchas are same product(captcha) by 2
| different companies.
| acdha wrote:
| Here's what it looks like from India:
|
| https://www.webpagetest.org/result/240210_BiDcTM_7TZ/
|
| That's definitely an Akamai IP. I'd be quite surprised if
| they were leading address space to a direct competitor.
| rozenmd wrote:
| DNS and Turnstile are separate products.
| geraldhh wrote:
| mostly bought together
| YesThatTom2 wrote:
| In no way is that true
| piperswe wrote:
| Turnstile is one of a handful of Cloudflare products that
| actually has zero ties to a "zone" - it isn't associated
| with the DNS or CDN products whatosever. From what I know,
| it seems to be completely free for all uses, so it isn't
| really "bought" in the first place anyways.
| ittan wrote:
| Huh?
| stefan_ wrote:
| Does this mean every GOV page will now have the "pretend security
| check" interstitial that litter just about every page now? How do
| you even describe it, it's like they are vandalising the
| internet.
| randunel wrote:
| You're getting downvoted, but I guess none of the downvoters
| tried to apply recently on https://esta.cbp.dhs.gov/esta/, I'm
| getting the infinite turnstile cloudflare hcaptchas. It's
| probably happening to most people trying to use that website
| from 3rd world countries.
| acdha wrote:
| He's getting downvoted for confusing two unrelated services.
| What you're both talking about is what happens when someone
| uses Cloudflare's CDN, enables their managed CAPTCHA feature,
| and directs their web traffic through it. This is about DNS,
| which is a separate service at a lower level.
|
| Agencies would have to contract with Cloudflare separately to
| use the CDN, and each contract is a separate competition
| where a different part of the government using Cloudflare for
| a different service would not be considered when reviewing
| bids.
| overstay8930 wrote:
| It is shocking how few people understand how DNS works
| tazjin wrote:
| I wasn't sure what you were referring to until reading the
| other top-level comments. Wow. And that's on a site with a
| technical audience!
| SOLAR_FIELDS wrote:
| In people's defense DNS is complicated. Try building a product
| that uses it and realize there are a ton of edge cases to
| handle
| dinkleberg wrote:
| They don't need to know the edge cases to understand the
| basics of how DNS works. It is a foundational element of how
| the internet works and any software dev should have at least
| some fundamental knowledge of it (unless they don't do
| anything that ever touched networking which I imagine is
| rather rare).
| tephra wrote:
| While there are certainly complex and weird stuff in the DNS
| world. The basic of how the DNS works is really not that
| complicated.
| striking wrote:
| Yeah, but it's not like those comments are making a mistake
| about how the tech works because they're looking to learn
| something today. Posting an axe-grinding comment that shows a
| clear misunderstanding of the technology on a technical forum
| is an unforced and pretty indefensible error.
| dinkleberg wrote:
| It never fails to amuse. Our world is full of really complex
| tech which people are eager to learn, yet those same people
| will seem to be allergic to DNS despite it being very simple
| (at least the main parts of it).
| PrimeMcFly wrote:
| Look at the amount of coders who can struggle with simple
| system settings.
|
| Some people only learn what they want to or need to learn,
| the bare minimum.
| stefan_ wrote:
| It is shocking how few people understand how business works. If
| you think Cloudflare wants to be in the registrar business, not
| push their Anti DDoS stuff on a captive audience, I have a
| bridge to sell you.
| acdha wrote:
| > push their Anti DDoS stuff on a captive audience
|
| This is a very provocative way to spin "selling the CDN
| services customers are buying". What reason do we have to
| think anyone is an unwilling party to that transaction?
| profmonocle wrote:
| > registrar business
|
| They're the registry, not the registrar. CISA is the
| registrar for .gov domains, Cloudflare just handles the
| backend. (DNS and whois infrastructure)
|
| Government employees likely never see anything about
| Cloudflare at all when they manage the DNS settings for
| domains, just like I never see anything about Charleston Road
| Registry (Google subsidiary) when I manage a .dev domain on
| Name.com.
|
| > push their Anti DDoS stuff on a captive audience
|
| How is this a captive audience? Are you implying Cloudflare
| won't allow .gov domains to use non-cloudflare nameservers?
| tiffanyh wrote:
| Given this isn't only DNS, agreed.
|
| This changes:
|
| - Registry,
|
| - Name Server and
|
| - DNSEC
|
| More details here:
|
| https://indico.dns-oarc.net/event/48/contributions/1038/atta...
| tephra wrote:
| Those are all part of the DNS.
| wand3r wrote:
| As someone that was dealing with my domain being squatted on, I
| can say I know more about DNS today than I did yesterday.
| FuriouslyAdrift wrote:
| Paul Vixie quote and link to explanations: "DNS is a
| distributed, coherent, reliable, autonomous, hierarchical
| database, the first and only one of its kind."
|
| https://queue.acm.org/detail.cfm?id=1242499
| globular-toast wrote:
| This being the top comment means there are enough people here
| smug because they know how DNS works. People who need to know
| generally know. Nobody can know everything and most people
| don't need to know how it works.
| dang wrote:
| Ok, but please don't post empty putdowns.
|
| https://news.ycombinator.com/newsguidelines.html
| NicoJuicy wrote:
| There's a very interesting document by Cloudflare linked to it
| that describes why this was not your typical "change nameserver
| and done" transition:
|
| https://indico.dns-oarc.net/event/48/contributions/1038/atta...
| blibble wrote:
| yet another example of DNSSEC "adding value"
| lambdaone wrote:
| By making it hard just to hijack a crucial TLD and transfer
| it over to an potential adversary without the cooperation of
| multiple trusted parties? It seems to me this is DNSSEC
| working as designed, and being remarkably flexible in doing
| so. Sometimes things _should_ be difficult to do.
| jpgvm wrote:
| Yeah I hate that people can't acknowledge that friction is
| sometimes intentional.
|
| Not everything -should- be easy.
|
| For example I designed a system at a previous company that
| used Shamir's Secret Sharing to protect a very very
| important root key. We used an intermediate of this key for
| most operations but it came time to rotate it and folks
| were surprised by the ceremony involved in doing so.
|
| i.e the root key was decrypted using X of N members of the
| SSS group, a new intermediate generated and the special NUC
| that was designed for this purpose returned to it's safe
| (which was also using a Yubikey as like a mini-HSM too).
|
| Those keys protected very important PII and I deemed this
| the minimum necessary friction, ideally I would have went
| further if that was tenable.
|
| Some things really should be hard and that hardness should
| be proportional to how horrible the implications of someone
| unauthorized doing that thing.
| blibble wrote:
| > Not everything -should- be easy.
|
| the entirety of .nz probably wouldn't agree with you when
| they had a 2 day outage due to a slight DNSSEC
| misconfiguration
| pas wrote:
| ???
|
| at best that means there's more need for practice,
| testing, better processes, and so on. it does not mean
| everything should be easy. (especially changes to a
| critical name authority.)
|
| there's an argument that maybe .nz needs to spend more on
| this, delegate this, or accept a decreased security
| assurance, but that's definitely not true in general.
| omoikane wrote:
| I didn't even know .gov changed operators until this news, but
| looks like there was an earlier news that said it would happen:
|
| https://news.ycombinator.com/item?id=34403055 - Verisign Loses
| Prestige .Gov Contract to Cloudflare (2023-01-16)
| jcsnv wrote:
| Looks like it was for ~$7.2mm -
| https://sam.gov/opp/84b13553be9643f6bd143480a4567352/view
___________________________________________________________________
(page generated 2024-02-10 23:01 UTC)