
Introducing Cloudflare Registrar - jgrahamc
https://blog.cloudflare.com/cloudflare-registrar/
======
ksec
I wouldn't have cared much about Domain Name Register just a week ago, but
after what happen at Zoho, and all the horror story in the comments section
from namecheap and others, Cloudflare Registar couldn't come at a better time.

I really wish Cloudflare at least made $1 or $2 Gross Profits per domain. Who
paids for Domain Register Support? I would much rather be a "customer" than I
am not sure where they are making money from my Domain.

P.S - If those were wholesale price, do other companies get heavy discount for
signing up in bulks? How do other companies made money when they are selling
it for $0.99 or $6.99

~~~
rk249
I though namecheap was one of the better ones around? I'm looking for a domain
registrar. Could share the link with namecheap horror stories? Thanks

~~~
brobinson
If you are using PrivateInternetAccess, you can't login to your NameCheap
account. As in, your valid username and password will be rejected. This
happens even if you have 2fa enabled. I reset my password twice (even though I
_knew_ the original because I use a password manager) before I opened a
support case, and they confirmed that they block legitimate logins if they
detect you're using a VPN.

I wanted to move off of them, but everyone else is worse. CF Registrar is
interesting, but there is precedent for CF revoking its services from non-
abusive customers before (whatever that alt-right site was) so I don't think I
will support them either. I heard Gandhi is good so I might check them out.

~~~
voltagex_
Gandi is good, I think the site upgrade is done now so there won't be much
clunkiness for new domains. They're more expensive than most, but I've had no
problems. I only use their DNS though, I can't comment on mail, mail
forwarding or hosting.

~~~
Hasknewbie
Gandi are nice to you until you move your domain somewhere else, at which
point they will immediately drop the privacy on your whois record until their
version expires, as a nice parting gift. I complained to their support when
that happened and they basically lied to my face, pretending to see only the
new registrar's whois. Caveat emptor.

~~~
voltagex_
Ah shit. Thanks for the heads up.

------
JohannesH
Do cloudflare want to be registrar for other foreign TLDs in the future?

I would love to see them support TLDs such as .dk, .de, .it etc. That way both
me and my clients could begin consolidating domain registration in one place,
instead of using expensive and shitty domain registration management services.
Harder ones, like Tonga (.to) or Greenland (.gl) would be nice to have as
well, but I don't think it's feasible (or possible even) to integrate with all
countries.

~~~
jgrahamc
Yes, we do.

~~~
Nerada
Any chance of allowing more TLDs for the registration process? My TLD of
choice for e-mail (.Industries) is considered illegitimate when attempting to
register for Cloudflare.

~~~
zackbloom
Can you contact our support team? All legitimate TLDs should be able to
register on Cloudflare.

~~~
Nerada
Is there an e-mail? I tried looking, but the contact form I found required me
to register, and thus looping back to my original problem.

Could it be I'm using an alias of Cloudflare@mydomain.industries?

Edit: Attempting "cf@domain.industries" and receiving the same error. Assuming
you're accepting .industries registrations, it could very well be my corporate
firewall blocking requests to something. I'll attempt again this evening from
home.

------
_jomo
I wonder why nobody has mentioned Njalla [0] yet.

>We want to keep things simple and we're not trying to compete on price but
security. We will never be the cheapest domain name registration service but
we'll always be the most privacy centered one

You sign up with email or XMPP+OTR, they send mails PGP signed + encrypted
(using info from key server or the key you uploaded), they have app based
(TOTP) 2FA and they accept various cryptocurrencies.

There's no bullshit and so far the support has been quite good.

Their DNS (currently) supports: A, AAAA, CAA, CNAME, MX, NS, PTR, SRV, SSHFP,
TXT (also "Dynamic" and "Redirect")

It's run by some of the Pirate Bay founders and they're still making fun of
legal threats. ;)

0: [https://njal.la](https://njal.la)

~~~
dogecoinbase
I like and use Njalla, but you should be aware of what you're getting into: >
When you purchase a domain name through Njalla, we own it for you. However,
the agreement between us grants you full usage rights to the domain. It's not
at all unlikely that they will eventually be shut down very hard. Please do
not use them (or, as long as I'm here, any ccTLD, but that's another story)
for any serious/long-term purpose.

~~~
_jomo
Who would shut them down? Is this something the ICANN prohibits? Is ICANN even
involved here, as Njalla is (to my knowledge) not an ICANN-accredited
registrar? They simply buy the domains from an actual registrar and let you
use them.

~~~
Operyl
I think in the context of that, they were thinking about governments.

~~~
_jomo
I don't know why buying something and then leasing it to someone else would be
an illegal thing to do. I guess they made sure it's not illegal in Nevis, at
least.

~~~
paranoidrobot
That's not the problem.

It's more the scenario that the country to which the company, or it's
officers, belong/reside in, may take a disliking to their customers (perhaps
for unlawful acts), and because the company is seen to own the domain, and
either won't or can't hand over the details of the end customer, the company
could be liable for those things.

Even if the company obeys every lawful direction on cancelling/handing over
domains and whatever customer details they have - they may be seen as
facilitating unlawful behavior, and so that in and of itself can be an
unlawful act.

------
WordSkill
I have used dozens of different registrars over the past two decades and found
Fabulous.com to be by far the best on price and technology. Unfortunately,
they now have no plans to support the new CDS and CDNSKEY protocols which
would be handy for anyone managing a large number of domains.

What Fabulous do have, however, is an "Executive Lock" feature, which is an
optional additional layer of verification that the domain owner must go
through before a domain can be transferred away from his account. They also
support U2F, which allows the use of hardware tokens such as Yubikeys.

Domain protection features such as these are vital if a registrar does not
want to be swamped with jacking attempts and the PR disaster of actually
losing domains.

I am surprised that Cloudflare has not already followed the fine example of
companies such as Dropbox, Github, and Google by supporting U2F. A quick
search shows that Cloudflare customers have been publicly asking for this for
at least 3 years. When they introduced TOTP 2.5 years ago, they stated that
they would support U2F "shortly".

In the context of being a domain registrar, supporting U2F would be even more
useful, dramatically reducing the number of domain jacking attempts. Proper
support would encourage customers to associate TWO hardware tokens with their
account, each stored in a different location. Supporting only one, as AWS have
recently done, leaves them wide open to social engineering, with impersonators
claiming to have lost their one key.

~~~
Boulth
Wow, it's hard to believe they don't support U2F yet. Even smaller providers
such as OVH have U2F for a long time.

~~~
WordSkill
Yeah, very surprising. Perhaps companies lose the ability to get this stuff
done as they grow larger.

An even more shocking example is Transferwise, supposedly a cutting-edge star
of the "fintech" scene. They use SMS-based codes, a wildly insecure form of
OTP. Over a thousand employees and they cannot even implement some sort of
app-based TOTP (such as Google Authenticator) to protect their clients' money.

~~~
maxgashkov
Transferwise is quite low risk in this regard. They don't have a balance or
anything like that, it's only moving money between 2 accounts in a
transactional manner.

~~~
WordSkill
No, Transferwise provide balances as part of their "Borderless banking"
accounts:
[https://transferwise.com/gb/borderless/](https://transferwise.com/gb/borderless/)

------
johnklos
While Cloudflare appears to be doing things that are meant to help everyday
people, I can't help but be suspicious. This is an organization that sticks
with the "we don't host" bullshit line when web sites serve up Trojans which
pretend to be Adobe Flash installers. While there's more subjectivity involved
with dealing with hosting the content of spammers, there is zero subjectivity
involved with clear and obvious phishing sites.

First, anyone with the tiniest modicum of common sense can tell that these
pretend Flash sites are absolutely not in the slightest way legitimate
content.

Second, providing services in any way, shape or form is, in fact, hosting.
Providing DNS? It's hosting. Providing a cached version of the site? Hosting.

So if they want to be in the business of pretending to be not-hosting, then
they have to stop providing services that without which web sites would cease
to function. Are they now going to claim that they're not providing meaningful
services to domains registered through them, and therefore they should not be
responsible for people who are doing illegal things?

Probably.

~~~
zackbloom
I appreciate that these decisions can seem easy, but broadly do you want a
private company deciding what can be on the internet, or do you want that
decision made by a judge with due process?

~~~
daxorid
Matt Prince already decided "what can be on the internet" when he banned Daily
Stormer. As far as Cloudflare is concerned, that ship already sailed.

~~~
jopsen
I think the issue was that the Daily Stormer communicated that the fact that
cloudflare hadn't banned them was a form of support or endorsement.

It seems reasonable to put a lid on that.

I do see the moral dilemma though.

------
Ayesh
This is awesome! Charging the exact same price as the registry wholesale
price.

NameSilo, as far as I know, comes very close to the registry pricing and
offers DNSSEC, nameserver registration and other APIs with the registry.

This could totally throw all registrars out of competition for the price of
registry wholesale price. You just have to hope CloudFlare wouldn't overstep
their role as a registrar if you only register the domain from them.

~~~
nickjj
I currently use NameSilo. Don't forget they also offer free whois privacy for
life.

My only complaint with them is their DNS records are only updated once every
15 minutes.

This makes doing automated API based DNS based LE challenges annoying because
you need to sleep your script for 15 minutes to ensure the update got pushed.

Also, I'm surprised Cloudflare omit talking about whois privacy in the blog
post. Makes me wonder if they plan to sell that for some amount of money.

~~~
zackbloom
We actually didn't talk about WHOIS Privacy because it's becoming less and
less of a relevant feature in the post-GDPR world. We do support it, free of
charge.

Cloudflare is also the largest authoritative DNS deployment in the world, and
changes propagate in closer to 15 seconds than 15 minutes.

~~~
nickjj
Thanks for the confirmation. Sounds promising.

Do you happen to also offer free email forwarding with registered domains?

~~~
zackbloom
I don't have the answer to that yet. On the one hand it's a bit far afield of
what we normally do. On the other a lot of people seem to get it from their
registrar and rely on it.

The ideal situation would be if we could find a way to do email forwarding
which wasn't just as good as what they do, but was exciting and meaningful.
We'll keep thinking about it and let you know on our blog.

~~~
nickjj
If you want to blow everyone away then I think you should start with giving
free real inboxes for everyone (maybe with some sane limit, or a way to pay
per month to increase it), and then introduce email forwarding in the future
(because I'm sure some people will still want that feature even with real
inboxes available).

If you GA'd with:

~$8 .com addresses, N real inboxes, free whois guard and a top notch DNS
record API.

That's a compelling offer and I'd very likely switch from namesilo if that
were the case.

To be honest, anything less and I'd stay with namesilo because the 15 minute
timer can be worked around by using my web host's name servers (digitalocean
pushes updates in a few seconds). I couldn't live without either email
forwarding or a real inbox.

~~~
zackbloom
When you say real inboxes, are you thinking webmail of some sort? Don't most
people prefer to use Google Apps or the like these days?

~~~
nickjj
I mean being able to set up zackbloom@cloudflare.com as a proper inbox that
can send and receive mail without forwarding to another email. Having a web
interface for it would be cool but I think a lot of people could also
configure existing email clients to access it (at least at the start).

Google Suite is something like $5 / month per domain name so offering that as
a free feature would be a pretty big deal.

~~~
x13
Google Suite starts at $5 per email address per month; I think asking for free
email accounts is beyond the product offering of domain registration/renewal.

And they probably want to reserve usage of their domain for email so you know
it's a staff member you're dealing with, which is why google gives away
gmail.com addresses, not google.com addresses.

Here are three less expensive email options for you:

1\. get a VM and install exim/postfix 2\. OpenSRS
[https://opensrs.com/services/hosted-
email/](https://opensrs.com/services/hosted-email/) 3\. AWS workmail
[https://aws.amazon.com/workmail/](https://aws.amazon.com/workmail/)

~~~
nickjj
To be fair he was asking for exciting and meaningful ways to make it better.

> And they probably want to reserve usage of their domain for email so you
> know it's a staff member you're dealing with, which is why google gives away
> gmail.com addresses, not google.com addresses.

These inboxes would be for your custom domain that you registered, not
@cloudflare.com for everyone. I used that for his because it sounds like he
works there.

Yours would be x13@whateverdomainyouregistered.com.

------
oxplot
Still no U2F? C'mon CF, how hard can it be for an org the size of yours.

------
forapurpose
The registration cost for domains is trivial (for most common TLDs): $8/year
or $35/year - how much is $27/year worth to you and your company?

The primary cost for domains is potential downtime. How much does a day of
downtime cost you and your company? I don't want to think about it either.

The next most significant cost is labor - your time and your business' delays
when dealing with the registrar over service and support issues.

Both of these problems are solved with available, responsive, highly effective
support. If it goes down, you want to reach someone right away who has the
skill to quickly solve the problem and who is empowered to do whatever is
necessary to bring it back up. And for lesser issues, quality support means
you spend less time solving problems, which not only saves you time and
frustration but reduces delays for your work that depends on the problem, and
for other people depending on you and people depending on those people. It's
the difference between spending days trying to communicate with someone who
turns out not to understand the technology anyway, and then you have to figure
out a solution yourself and coax them into implementing it, and communicating
with someone who answers immediately and says 'I got it', explains the tech to
you - and you don't bother to remember it because they already know it.

I don't see support, the most important capability of a registrar (besides
basic competence) IMHO, mentioned in Cloudflare's announcement. What is the
support story?

EDIT: Added exposition

~~~
zackbloom
We provide email support to all of our customers. I believe free customers see
a response within 8 hours on average (we have teams in SF, Austin, London, and
Singapore, to cover every timezone). That 8 hours can become as little as 30
minutes for customers who also subscribe to our Pro or Business plans, or use
our Custom Domain Security product.

~~~
forapurpose
Thanks for the update. For comparison, I pay ~$35/year and get skilled,
empowered, responsive phone support within maybe five minutes of calling. I've
never needed them to pull off a miracle so I don't know how truly empowered
they are.

------
cpncrunch
I would never use Cloudflare. They hide spammers and refuse to do anything
about them. The same mass spammer will register site after site for months,
sending snowshoe spam, and cloudflare refuses to do anything. At one point
this was taking up about 80% of our incoming spam, and most of it was getting
through spam filters due to the snowshoeing. You could see the same
registration info for hundreds of domains over months, all sending spam, but
cloudflare doesn't give a shit.

The only solution I found was to put a 15 minute delay on all incoming email
from a cloudflare domain, then do a second check of the blacklists. This
solved the problem, as the sending ips (not cloudflare) tended to get
blacklisted within 15 minutes.

In my mind if you're hiding people's websites behind your "cloud", you have a
responsibility to kick off the spammers.

~~~
johnklos
How do you have your MTA check if a domain is hosted through Cloudflare, and
what blacklists do you use? I think I'd like to do this, too.

~~~
jlgaddis
If you've ever ran Postfix on a public-facing MX host, you're probably
familiar with so-called "restrictions" like "check_client_access",
"check_recipient_access", and "check_sender_access".

There are also several other (seemingly lesser known) restrictions available,
such as "check_sender_a_access", "check_client_mx_access", and
"check_helo_ns_access" (plus similar variations you can likely think of) that
you can use to take action based upon things like the IP address(es) listed in
the A RR for the client MTA's hostname, the hostname(s) listed in the MX RRs
for the client MTA's IP address, and/or the authoritative DNS servers of the
domain name provided by the client MTA during the HELO/EHLO phase.

Imagine a spammer that had hundreds of domain names, all of which used her own
DNS servers, jack.ns.example.com and jill.ns.example.com. Using
check_sender_ns_access, for example, you can quickly and easily reject all
mail where the domain name in the envelope from address uses one of these
authoritative DNS servers.

If you get creative, you can come up with some really effective combinations
that are actually pretty simple.

[0]:
[http://www.postfix.org/postconf.5.html](http://www.postfix.org/postconf.5.html)

~~~
cpncrunch
Well, this is the problem with cloudflare...you can't block cloudflare because
there are so many legitimate domains hosted there. The 15 minute delay
followed by a second blacklist check is the best solution I've come up with
(it seems to work almost 100% of the time from what I can tell).

------
convery
While I'm sure few of us would have controversial domains, let's remember that
Cloudflare have removed the DNS records of sites that they didn't like in the
past[0].

[0] - [https://blog.cloudflare.com/why-we-terminated-daily-
stormer/](https://blog.cloudflare.com/why-we-terminated-daily-stormer/)

~~~
eridius
That's misleading. They removed the records of one site. Not "sites". And they
did it because that site was claiming that CloudFlare providing them services
meant that CloudFlare secretly supported their (hate-based) ideology.

And it's also worth pointing out that CloudFlare wasn't the only company
terminating services for Storm Front. GoDaddy dropped them, then Google
dropped them (and their YouTube account), then Tucows dropped them after just
a few hours, and then finally CloudFlare dropped them.

Or to put it another way, CloudFlare has dropped one single site. Pretty much
any other competing service will have dropped numerous sites. CloudFlare's
dropping of The Daily Stormer is really only interesting in that it was a
violation of CloudFlare's previously-stated policies of only dropping clients
that are breaking the law.

~~~
Ajedi32
And, perhaps more importantly, Cloudflare admitted that was a mistake and
promised that it wouldn't happen again. (IIRC.)

~~~
stevenicr
I've been trying to watch these issues and not seen anything that suggests
they won't do it again. If you have some evidence of this, please post it.

In fact I think it more important to point out that the incident proved they
can and will do such a thing, and will have less of an argument should someone
stick a piece of paper to their head and tell them to do it more often.

I like cloudflare and appreciate all these cool things they are doing with
with other's (Google's, Micorsoft's and Baidu's ?) money... however the old
playbook of get big and entrenched then start to bleed your captive customers
is getting rather old.

Wall street pressure has made godaddy much worse in my experience, and I have
seen nothing that says cloudflare has done anything to prevent these things
from happening again.

Whichever registrar is keeping stormfront as a customer is likely more
resilient. (would like to know which (tucows?) reseller is the one.)

As I have mentioned elsewhere, I hope cloudflare is already setting up ways to
split their company into cloudflare US, cloudflare CA, cloudflare UK,
cloudflare JP, IN, etc etc.. as I think it's the only way to prevent mass
takedowns that are likely coming in the future.

~~~
stevenicr
Days after posting about the need for cloudflare (and others) to decentralize
/ split up; and there is this article in the Guardian for the UK:
[https://www.theguardian.com/commentisfree/2018/sep/30/we-
can...](https://www.theguardian.com/commentisfree/2018/sep/30/we-cant-stop-
spread-of-hate-get-tough-with-technology-giants-jo-cox)

Equating cloudflare tech with nazi bouncers, and killing. Needing to be used
to shutdown sites.

with things like this: >> Cloudflare has built “edge servers” – data centres
that store content locally. There are 30 in Europe, including one in London
and one in Manchester. The British government cannot regulate the worldwide
web, but it could enforce the law in Britain. The anti-fascists at Hope not
Hate begged ministers to make Cloudflare’s British operations comply with
anti-Nazi legislation.

>> Cloudflare, by contrast, is enabling men who want to kill, not argue.

There was a time when the tech was not easily understood, and the argument of
dumb pipes was kind of legit. It seems that time is over, in no small part
because tech has not been sticking to their principals (imho).

------
fooey
I really wish I could find a good solution for generic wildcard forwarding of
email my registrar provides

I'd move everything to CloudFlare instantly if I could find a way to get
*@mydomain.com for all mess of domains without having to run my own email
server or pay a bunch of money per domain.

~~~
coenhyde
You could probably use Mailgun with a routing rule to map *@yourdomain.com to
a single email address.

~~~
zuck9
Is that free?

Some domain registrars offer wildcard domain forwarding for free.

------
bad_user
Is Cloudflare profitable?

I like their service, but given all the freebies that don't generate revenue,
I can't help but wonder if they are going to be around for another 5 years
before transferring my domains to them.

~~~
krn
> Is Cloudflare profitable?

CloudFlare has been profitable since 2014[1]:

> CloudFlare has raised more than $72 million in funding, with a $50 million
> round in 2012, valuing the company at $1 billion. That last slug of equity
> is still in the bank, says Prince; the company says it just had its first
> cash-flow-positive quarter with revenue, estimated to be around $40 million
> by year-end, growing 450% year over year.

[1]
[https://www.forbes.com/sites/kashmirhill/2014/07/30/cloudfla...](https://www.forbes.com/sites/kashmirhill/2014/07/30/cloudflare-
protection/)

------
_JamesA_
This is great.

I have used Namecheap as a registrar and Cloudflare as DNS for many years.

I just registered for Early Access and was placed in Wave 1 estimated for Mid-
October. I happily donated to Girls Who Code anyway.

~~~
partiallypro
I am a customer of Namecheap and Cloudflare too, and though I'm a happy
Cloudflare customer, Namecheap has given me no reason to leave.

That being said, the company I work for I think I will begin transferring over
to Cloudflare as a registrar, simply because we have hundreds of sites already
on Cloudflare's NS, and moving them over to Cloudflare is much easier to sell
than moving them over to Namecheap, which is something I had pitched but could
never justify.

------
r1ch
This sounds great. Hopefully the TLD coverage is extensive, I dislike having
my domains split across multiple registrars based on their supported
extensions.

~~~
LakeAustin
We want to help you consolidate those! Full list here for TLDs supported at
launch, but we're busy working to add more before then.
[https://www.cloudflare.com/tld-policies/](https://www.cloudflare.com/tld-
policies/)

~~~
sofaofthedamned
Gah, you don't have .je domains. I have a charity one there which I have to
use gandi.net for and it's driving me nuts...

~~~
bscphil
Likewise, .sh domains are pretty popular but an incredible pain to deal with.
I managed to transfer mine to Hover, but it's expensive and buggy (you can't
update your registration address, for example; you get an "internal server
error").

------
ocdtrekkie
I think this is pretty great. Apparently a .com is going to run you only $8.03
right now.

I already use Cloudflare for some things, and like to keep my web presence
diversified, so I probably won't move my main domains to Cloudflare just to
maintain "separation of powers", but there's definitely some "own the other
TLDs of these"-type domains that I have which I may hand off to Cloudflare to
save money.

------
c487bd62
Awesome!

I hope you don't mind me ranting a bit about custom domains

> Custom Domain Protection for Cloudflare Registrar, available on the
> Enterprise Plan, protects your organization from domain hijacking with
> exclusively out-of-band verification of any changes to your Registrar
> account.

This is what keeps me locked into Google and other services. I just can't
trust my custom domain, if I'm targeted by any semi competent attacker it WILL
be hijacked. That you're offering this service only makes my suspicions
stronger. I want to use your services but that's a showstopper. It's not your
fault, of course, all registrars face the same issues. You need so many
different factors to make the process secure it's not even funny, and you said
it yourself: "That, obviously, doesn't scale".

A few years ago one of my customers domain was stolen by contacting the
registrar support (one of the big ones, always recommended around here). They
even had a scan of his passport. With so many data leaks, even from your own
government, how do you even protect against these kind of things? His life for
the next few months were living hell.

~~~
zackbloom
I'm sorry to hear that, it sounds horrible. We had a very similar situation
several years ago which led to the development of our original Registrar.

All I can tell you is the 'custom' in Custom Domains refers to the idea that
you can set whatever security policy you would like. That includes restricting
who can change your domain to a list of people you can count on one hand who
each have a personal relationship with you. If you want a policy which
requires a photo of you with today's newspaper in it to change a domain,
that's probably something which can be arranged.

Just to clarify for readers, this is the Custom Domain plan, which is the
Enterprise version of the Registrar we are launching today.

------
jpswade
Tucows made hover.com to try and solve this exact problem. How does this
differ?

~~~
WordSkill
Price: $8.03 vs $14.99

~~~
awill
All my domains are with Hover. Good customer support, reasonable UI, 2FA. I'm
pretty happy with them.

Sure, it's a little more expensive, but I actually like the no upsell, stable
prices, no coupon codes etc..

Most importantly, there's a number to call. I've never had to call it in my 7
years with them, but I'm glad it's there for emergencies.

A domain is so, so important, I don't see "we're a few bucks cheaper" as a
selling point.

~~~
jhall1468
I mean, that's literally the same thing CF is doing here. No upsell, stable
prices (at cost) and obviously no coupon codes.

~~~
awill
Yes. But will they have a number to call? Can they pay support staff if
they're selling domains at cost.

------
umbs
Anyone here know if Cloudflare plans to let non-customers to transfer their
domains to Cloudflare? Especially, if it's a personal domain? I purchased a
domain from GoDaddy and host a blog. But they have been up selling and
charging me needlessly. I imagine it's a headache for Cloudflare to support
personal domains like GoDaddy does, but I really hope they do.

~~~
jgrahamc
Yes. As soon as we are through the Early Access period.

------
interfixus
For the last ten years+ I've done all my domain-stuff through Dynadot, and all
that time I have been mystified that these guys aren't far better known than
they appear to be. Prices are decent, comprehensible, and stable. UX is okay.
Not spectacular, but absolute useable. Great flexibility with whois records. I
have needed support _once_ in those ten years, and that was my own bloody
fault for having forgotten which birthday I signed up with. Even so, help was
prompt, polite, and efficient.

Looked in at the competition from time to time - NameCheap, GoDaddy, whoever -
just to see what I might be missing out on. The experience was always sobering
and ugly to look at, and every time, I ended up dragging my new domain over to
Dynadot.

------
nodesocket
I am excited about this announcement, and look forward to a registar who takes
security seriously.

> But why should registrars charge any markup over what the TLDs charge? That
> seemed as nutty to us as certificate authorities charging to run a bit of
> math. When we see a broken market on the Internet we like to do something
> about it.

That is not a broken market, it's actually free-market economics and business.
Charging a markup for a service litterally is how many companies operate. I
don't have a problem with it, and because it's a free market it allows
CloudFlare to disrupt it.

------
edent
Interesting. Wonder if they'll support punycode domains - either for
internationalisation or for emoji.

I tried to get a .中国 domain, bet fell afoul of the "unique" restrictions that
my reseller encountered.

~~~
kijeda
.中国 is the country-code top-level domain for China, and has its own set of
country-specific rules that they have devised.

Emoji is illegal according to the IETF IDN specification. Some naive clients
allow it (i.e. don't follow the standard) but ICANN rules prohibit registries
allowing registration of labels that are disallowed by the standard.

~~~
dcbadacd
If you convert unicode to punycode it's fine? So displaying punycode TLD as
unicode is fine as well? If all previous has been true then unicode being
displayed as unicode can't be wrong.

------
jtl999
Very interesting.

I sure hope that when they go live that don't force people to use Cloudflare's
nameservers.

As I've mentioned before I use Uniregistry and I'm quite happy with them, but
at the end of the day, how do you trust your domain register when uncertain
things that often have no written policy happen (someone impersonating you to
hijack your domains, someone filing bogus abuse/UDRP notices to get your
personal information despite using a WHOIS privacy service, etc.)

I'd be curious what other users think of the second part.

------
carapace
I've been shy of purchasing a domain name for years ever since I did an
availability search on a registrar's site only to discover that the domain had
been "reserved" _a few milliseconds before my search_ and would therefore cost
more.

It was so obviously shady that I just backed away and have been waiting ever
since for some other naming system to become viable.

Meanwhile, this announcement is a ray of sunshine from behind the Cloudflare.
(Sorry for the pun! I coudn't resist.)

~~~
Ayesh
CloudFlare doesn't say they wouldn't do the same (although I believe they
won't).

I don't really believe when people claim the registrars registered the domains
themselves when they typed it in a search box. For example, it costs the
registrars around $8 to register a .com, even for themselves. They make $1-2
profit from a purchase, and I would say spending $8 hoping the same user who
searched it will be locked in is a risky gamble.

Sure, one can out a real human to assess the domain searches and try to lock
users in, but it's still a gamble.

~~~
carapace
It was years ago and I can't remember the details, but I remember I used some
registrar's domain-name-availability widget and somehow the name had been
"reserved" (not registered) in a way that meant they would change me more
money, and I was somehow able to find some other thing that showed the
reservation had happened right around the moment I searched.

I'm sorry I can't give better details, but I remember clearly the sense of
"Now that's pretty fishy..."

------
mariushn
What about email hosting? Gandi includes 5 email accounts with every
registration, while most other registrars charge for each account. Email is a
basic need.

~~~
Ayesh
It is a basic need, but they are pretty distinct features. Registrars today
sprinkle features such as email hosting, authoratice DNS hosting, email
forwarding, SSL certificates (lol, I know), web site builders, etc for more
profit.

I really hope CloudFlare registrar will be a proper stripped down registrar.
They offer you domains for the wholesale price, and it's too much to ask for
email hosting.

~~~
mariushn
Ok, makes sense. I learned about [https://opensrs.com/services/hosted-
email/](https://opensrs.com/services/hosted-email/) from another thread.

------
znpy
Meh.

I am mainly using italian company Tophost to register my domains, and domains
usually cost cost 5.99€+ vat. And they're still making profit from that. So I
kinda call bs on this "no added fees".

OTOH, I have to say that Tophost is not the prettiest or the coolest, but so
far I had no real issue and the price is low.

However, it's nice to see another player joining the game.

Regarding the $0.99 domain... Didn't it sound alarming that you pay a domain
so little?

~~~
icebraining
From Tophost: "solo 1 euro in più per .com". So it's 6.99€ ~= $8.10; seven
cents more than Cloudflare.

In any case, the Verisign fee is not hard to confirm; it would be weird for
them to lie about it: [https://investor.verisign.com/news-releases/news-
release-det...](https://investor.verisign.com/news-releases/news-release-
details/verisign-announces-increase-comnet-domain-name-fees-0)

~~~
znpy
Indeed, only seven cents more: do you really think Tophost and similar
(including Coudflare) are living off those seven cents per domain?

~~~
icebraining
I think they are living off upsales. I mean, CL already has _free_ plans. Why
would an at-cost plan be unbelievable?

------
ngrilly
Do you support .io, .eu and .fr?

------
floatboth
> “I love my domain registrar.” Has anyone ever said this?

Yes, pretty much every Hover customer?

(Most people don't even care about this, but) they were late with DNSSEC
support though, and I transferred to Google Domains because of that, using a
VPN because it wasn't officially available in my country. After a couple
years, Google Domains told me to GTFO, went back to Hover and now they did
have DNSSEC support :)

------
ryanworl
Are you planning on exposing a registration and domain search API that can be
used to purchase domains and set them up with zones automatically?

~~~
LakeAustin
Yes, we are planning on releasing those features.

------
Molomby
This sounds great but i’m surprised more people aren’t recommending AWS as a
modern “upsell free” alternative? Their prices are good, can be secured with
TFA, solid APIs, etc. That specific part of the management console isn’t
amazing but it’s powerful and if you’re using it a lot you should probably
automate, right?

------
SnowingXIV
I have a number of domains with Namecheap and these comments are worrying me.
Thinking about moving over but is there an easy way to port all records? Some
of domains have multiple txt and mx records associated with them and a bunch
of other values that would be a pain to manually rezone.

------
r1ch
Looks like there's a bug with the wait list, once you sign up don't visit the
page again or it registers you again in a later wave!

On further investigation it seems to be throwing 502 errors and then saying
Wave 8, so maybe it's just a UI bug.

~~~
zackbloom
We'll track it down, thanks r1ch!

------
jwr
I don't care much about the price, but if Cloudflare can operate a domain
registrar that doesn't suck, it will be enough for me to move. All domain
registrars I tried universally sucked, some less than others, but still.

------
auslander
AWS is a Registrar. You create account to use only this and nothing else.

------
saagarjha
Hmm, this might serve as a great alternative to Google Domains.

------
dannyw
How does CloudFlare cover payment processing fees?

~~~
WordSkill
As a big company, they pay their processor(s) far less than you or I pay
Stripe or Ayden.

For the marketing dynamite of being the only $8.03 "at-cost" registrar, they
are going to take a payment processing hit of around ten to fifteen cents per
domain. They could shift that cost to the price, but then they would lose
those invaluable bragging rights.

The point is not that customers save a few cents, but the absolute
transparency of paying exactly the registry cost + the ICANN tax. The simple
math of $7.85 + 18 cents implicitly suggests that you are dealing with an
utterly fair company: not a penny more, not a penny less. $8.03 will gain the
attention of the big companies they want to attract in a way that $8.13, $8.18
or $8.20 never could. In this context, $8.03 is actually a far more powerful
price than $8.

There are plenty of other costs associated with running a registrar, not just
payment processing fees, but the whole thing is intended as a loss-leader to
attract new users and coax their existing, non-paying users into a paying
relationship. From there, with a credit card on file, it becomes far easier to
sell them higher-margin services.

It will also deepen their relationship with their existing paying users,
making it a lot harder for competitors (present or future) to lure them away.

When you consider the cost of customer acquisition through normal marketing
channels, positioning themselves as the only "at-cost" registrar is a stroke
of genius. Reminiscent of Apple disrupting the phone business, Cloudflare have
chosen to disrupt a particularly messy, flaky industry that no customer loves.
If they manage to pull this off at the $8.03 price, it will catapult
Cloudflare to a whole new level.

~~~
dannyw
This is actually incredible from a standpoint that most people and businesses
have a very limited number of domains, making margins of say $2 a year on 5
domains moot.

~~~
WordSkill
Yeah, it is not about the $10 that the 5-domain company might save, it is
about trust, about Cloudflare positioning itself as a fair dealer that is not
out to nickel and dime you.

Of course, once that relationship has been established, Cloudflare is in prime
position to eventually make hundreds or thousands of dollars per year from
that company.

------
Operyl
What are the supported TLDs going to be? I.e. codes, app, ca? WHOIS
protection?

~~~
LakeAustin
We'll support 224 TLDs at launch! Full list here:
[https://www.cloudflare.com/tld-policies/](https://www.cloudflare.com/tld-
policies/) And you'll be able to redact your personal information from Whois
with us, too.

~~~
Ayesh
This is a pretty extensive TLD List, specially considering CloudFlare has to
directly deal with the registries than being a reseller of some commercial
registrar (like enom).

~~~
profmonocle
Most of them are from Donuts, who have a huge number of TLDs. In fact, looks
like the only non-Donuts domains are com, net, org, and info, so only four
registries.

It's not surprising, dealing with all the various registries (especially for
ccTLDs) is probably one of the harder things to scale when spinning up a new
registrar. Even Amazon Route53 uses resellers for some TLDs.

------
andreygrehov
Security wise, are you on par with MarkMonitor?

~~~
zackbloom
Our Custom Domain Protection is even more secure than MarkMonitor, but the
overhead of doing that also makes it almost as expensive. Our at-cost standard
domain service includes as much security as we can build into it without a
large human component being required (2fa, etc.).

~~~
r1ch
I've been trying to find a registrar with more-than-normal security without
much luck. I want a registrar that will stand up to a sophisticated social
engineering attack using leaked documents and personal information etc. The
big names like MarkMonitor start at like $50k, mid-range ones like CSC leave
me with an uneasy feeling given they do so many things with a clunky web UI
and over email. I don't really even know any other options in this space.

One option that could scale well with the standard service is allowing
customers to upload photo ID / business registration etc and locking down the
account so that customer support can never touch anything. Should the customer
lose their password / 2FA etc, then they would need to physically go to an
office location for ID verification (and a $xxx inconvenience fee). I've had
some limited success implementing this system with conventional registrars but
I would be more comfortable if it were an actual product offering.

------
dsnuh
Will there be an API for the registrar service?

~~~
sahaskatta
I've used OPEN SRS with a good experience in the past.
[https://opensrs.com/integration/api/](https://opensrs.com/integration/api/)

