By making it hard just to hijack a crucial TLD and transfer it over to an potential adversary without the cooperation of multiple trusted parties? It seems to me this is DNSSEC working as designed, and being remarkably flexible in doing so. Sometimes things _should_ be difficult to do.
Yeah I hate that people can't acknowledge that friction is sometimes intentional.
Not everything -should- be easy.
For example I designed a system at a previous company that used Shamir's Secret Sharing to protect a very very important root key. We used an intermediate of this key for most operations but it came time to rotate it and folks were surprised by the ceremony involved in doing so.
i.e the root key was decrypted using X of N members of the SSS group, a new intermediate generated and the special NUC that was designed for this purpose returned to it's safe (which was also using a Yubikey as like a mini-HSM too).
Those keys protected very important PII and I deemed this the minimum necessary friction, ideally I would have went further if that was tenable.
Some things really should be hard and that hardness should be proportional to how horrible the implications of someone unauthorized doing that thing.
at best that means there's more need for practice, testing, better processes, and so on. it does not mean everything should be easy. (especially changes to a critical name authority.)
there's an argument that maybe .nz needs to spend more on this, delegate this, or accept a decreased security assurance, but that's definitely not true in general.
yes, the same thing happens when people start using technology that actually verifies what it reads/writes. ie. btrfs, ZFS, ECC, etc. and turns out disks fail, bits rots, etc. it was just unnoticed.
In how many instances over the last 10 years has a country code TLD for a country of New Zealand's size or greater been stolen? It doesn't make sense to talk about benefits without costs, and vice versa. Error-prone and dangerous security demands urgent problems. Is TLD hijack one of them? It is not.
Verisign already controls huge portions of the internet (as a registry and certificate authority) and Cloudflafe controls much of the rest. Giving up .gov does very little to move the needle.
Not that I stay up at night worrying about Cloudflare, but Cloudflare is literally the Man In The Middle between the user and the instances running at AWS, GCP, or Azure.
Isn't that the whole value proposition of Cloudflare?
Nearly all traffic (in terms of volume) gets swallowed by CloudFlare and never approaches most instances: DDoS attacks swallowed whole, WAF rules block illegitimate traffic (which is, in most cases, the vast majority of traffic to dynamic endpoints or, frequently, non-existent endpoints, if you've ever tailed webserver logs), and Cloudflare-caching handles most of the remainder for static and cacheable files -- leaving those servers with a mostly-sanitized and far lower volume of traffic. If you're using edge workers, even less traffic hits your servers.
But, yes, out of the remaining traffic that enters AWS/GCP/Azure's network, they certainly can see what's happening on those machines if they care to look.
Yeah, that is one of the main value props of Cloudflare. They just slap you with scale. Entire classes of problems like DDOS just become non issues when you front with them. Most people when talking about Cloudflare have few complaints about the actual services they offer. It’s way more often about how they are so good and widespread that you don’t have many other choices and how dangerous that is in the long term.
It never fails to amuse. Our world is full of really complex tech which people are eager to learn, yet those same people will seem to be allergic to DNS despite it being very simple (at least the main parts of it).
They don’t need to know the edge cases to understand the basics of how DNS works. It is a foundational element of how the internet works and any software dev should have at least some fundamental knowledge of it (unless they don’t do anything that ever touched networking which I imagine is rather rare).
Yeah, but it's not like those comments are making a mistake about how the tech works because they're looking to learn something today. Posting an axe-grinding comment that shows a clear misunderstanding of the technology on a technical forum is an unforced and pretty indefensible error.
Paul Vixie quote and link to explanations: "DNS is a distributed, coherent, reliable, autonomous, hierarchical database, the first and only one of its kind."
This being the top comment means there are enough people here smug because they know how DNS works. People who need to know generally know. Nobody can know everything and most people don't need to know how it works.
It is shocking how few people understand how business works. If you think Cloudflare wants to be in the registrar business, not push their Anti DDoS stuff on a captive audience, I have a bridge to sell you.
They're the registry, not the registrar. CISA is the registrar for .gov domains, Cloudflare just handles the backend. (DNS and whois infrastructure)
Government employees likely never see anything about Cloudflare at all when they manage the DNS settings for domains, just like I never see anything about Charleston Road Registry (Google subsidiary) when I manage a .dev domain on Name.com.
> push their Anti DDoS stuff on a captive audience
How is this a captive audience? Are you implying Cloudflare won't allow .gov domains to use non-cloudflare nameservers?
> push their Anti DDoS stuff on a captive audience
This is a very provocative way to spin “selling the CDN services customers are buying”. What reason do we have to think anyone is an unwilling party to that transaction?
A particular .gov domain using Cloudflare (although from my DNS lookups, that one is not) is unrelated to Cloudflare managing the authoritative DNS servers for the .gov TLD. The fact that only a specific .gov domain - not all of them - has this issue demonstrates that.
Turnstile is one of a handful of Cloudflare products that actually has zero ties to a "zone" - it isn't associated with the DNS or CDN products whatosever. From what I know, it seems to be completely free for all uses, so it isn't really "bought" in the first place anyways.
They were probably exaggerating but it’s well known that American agencies can and will extort whatever they need from any American company and the organisation wouldn’t even be legally allowed to disclose that it even happened through secrecy and gag orders.
“Well known” in conspiracy circles. You’re referring to national security letters and, no, those cannot compel “whatever they need”: it’s limited to release of transactional data, not payload:
Part of why the news about MUSCULAR was so shocking was that the Buah-era NSA was attacking the fiber connections between American tech companies’ data centers, because they did NOT have a legal way to get that level of information.
Yeah, that page is one of the places you can read about the program I mentioned. I picked that one because it wasn’t news that the NSA spied on people outside of the United States, but a lot of Americans did not expect them to use the same tactics against American companies on US soil.
There doesn’t need to be any conspiracy theories when governments will often use their leveraged positions to get something from companies and punish them severely if they don't comply.
If I remember correctly, there was a certain LEA which approached an US ISP for an informal surveillance request, they refused, and the LEA retaliated by cancelling their contract. I’m failing to find it, so I’d be happy if someone can provide a source.
Does this mean every GOV page will now have the "pretend security check" interstitial that litter just about every page now? How do you even describe it, it's like they are vandalising the internet.
You're getting downvoted, but I guess none of the downvoters tried to apply recently on https://esta.cbp.dhs.gov/esta/, I'm getting the infinite turnstile cloudflare hcaptchas. It's probably happening to most people trying to use that website from 3rd world countries.
He’s getting downvoted for confusing two unrelated services. What you’re both talking about is what happens when someone uses Cloudflare’s CDN, enables their managed CAPTCHA feature, and directs their web traffic through it. This is about DNS, which is a separate service at a lower level.
Agencies would have to contract with Cloudflare separately to use the CDN, and each contract is a separate competition where a different part of the government using Cloudflare for a different service would not be considered when reviewing bids.
https://indico.dns-oarc.net/event/48/contributions/1038/atta...