Latest news of the domain name industry

Recent Posts

The DNS’s former overseer now has its own domain name

Kevin Murphy, March 19, 2019, Domain Policy

The National Telecommunications and Information Administration, which for many years was the instrument of the US government’s oversight of the DNS root zone, has got its first proper domain name.

It’s been operating at ntia.doc.gov forever, but today announced that it’s upgrading to the second-level ntia.gov.

The agency said the switch “will make NTIA’s site consistent with most other Department of Commerce websites”.

Staff there will also get new ntia.gov email addresses, starting from today. Their old addresses will continue to forward.

NTIA was part of the DNS root management triumvirate, along with ICANN/IANA and Verisign, until the IANA transition in 2016.

The agency still has a contractual relationship with Verisign concerning the operation of .com.

Could Verisign lose $3.3m .gov deal?

Kevin Murphy, March 17, 2015, Domain Registries

The US government has put its feelers out for information about a possible successor to Verisign as manager of the .gov TLD.

A formal Request For Information — potentially a precursor to a Request For Proposals — was was issued by the General Services Administration on March 9.

The GSA, which is the sponsor of the .gov gTLD, seems to be looking for information about all aspects of running a registry back-end and the secure dotgov.gov registrar front-end.

Those functions have been carried out by Verisign since it took them over from the GSA itself in December 2010.

Its five-year contract expires in September this year.

Because it’s restricted to US government entities, .gov is not a large gTLD — the RFI says it has about 5,000 domains and grows at about 5% a year — but it does carry a certain prestige.

It also carries a not inconsiderable fee. According to the September 2010 award page, the deal is worth $3,325,000 to Verisign.

It’s quite possible that the RFI is just a case of the US government going through the necessary motions prescribed by its procurement policies; Verisign may well be a shoo-in.

But the company’s record with .gov isn’t as great as its record with .com and .net.

In August 2013, Verisign screwed up a DNSSEC key rollover in the .gov zone, causing resolution failures on the small number of networks that rigorously enforce DNSSEC.

The deadline for RFI responses is March 23.

Verisign confirms .gov downtime, blames algorithm

Kevin Murphy, August 15, 2013, Domain Tech

Verisign this morning confirmed yesterday’s reports that the .gov top-level domain went down for some internet users due to a DNSSEC problem, which it said was related to an algorithm change.

In a posting to various mailing lists, Verisign principal engineer Duane Wessels said:

On the morning of August 14, a relatively small number of networks may have experienced an operational disruption related to the signing of the .gov zone. In preparation for a previously announced algorithm rollover, a software defect resulted in publishing the .gov zone signed only with DNSSEC algorithm 8 keys rather than with both algorithm 7 and 8. As a result .gov name resolution may have failed for validating recursive name servers. Upon discovery of the issue, Verisign took prompt action to restore the valid zone.

Verisign plans to proceed with the previously announced .gov algorithm rollover at the end of the month with the zone being signed with both algorithms for a period of approximately 10 days.

This clarifies that the problem was slightly different to what had been assumed yesterday.

It was related to change of the cryptographic algorithm used to create .gov’s DNSSEC keys, a relatively rare event, rather than a scheduled key rollover, which is a rather more frequent occurrence.

The problem would only have made .gov domains (and consequently web sites, email, etc) inaccessible for users of networks where DNSSEC validation is strictly enforced, which is quite small.

The US ISP with the strongest support for DNSSEC is Comcast. Since turning on its validators it has reported dozens of instances of DNSSEC failing — mostly in second-level .gov domains, where DNSSEC is mandated by US policy.

On two other occasions Comcast has blogged about the whole .gov TLD failing DNSSEC validation due to problems keeping keys up to date.

The general problem is widespread enough, and the impact severe enough, that Comcast has had to create an entirely new technology to prevent borked key rollovers making web sites go dark for its customers.

Called Negative Trust Anchors, it’s basically a Band-Aid that allows the ISP to deliberately ignore DNSSEC on a given domain while it waits for that domain’s owner to sort out its key problem.

The technology was created following the widely reported nasa.gov outage last year.

It’s really little wonder that so few organizations are interested in deploying DNSSEC today.

Yesterday’s .gov problem may have been minor, lasting only an hour or two, but had the affected TLD been .com, and had DNSSEC deployment been more widespread, everyone on the planet would have noticed.

Under ICANN contract, DNSSEC is mandatory for new gTLDs at the top level, but not the second level.

Reports: .gov fails due to DNSSEC error

Kevin Murphy, August 14, 2013, Domain Tech

The .gov top-level domain suffered a DNSSEC problem today and was unavailable to some internet users, according to reports.

According to mailing lists and the SANS Internet Storm Center, it appeared that .gov rolled one of its DNSSEC keys without telling the root zone about the update.

This meant that anyone whose DNS servers do strict DNSSEC validation — a relatively small number of networks — would have been unable to access .gov web sites, email and other resources.

As a matter of policy, all second-level .gov domains have to be DNSSEC-signed.

The problem was corrected quite quickly — looks like within an hour or two — but as SANS noted, caching issues may prolong the impact.

Both .gov and the root zone are managed by Verisign, which isn’t on the best of terms with the US government at the moment.

VeriSign takes over .gov

Kevin Murphy, December 22, 2010, Domain Tech

VeriSign has taken over registry functions at .gov, the top-level domain for the US government.

IANA records show that VeriSign Global Registry Services was named technical contact for .gov possibly as recently as this Monday.

The TLD is still administratively delegated to the US General Services Administration. Google’s cache of the IANA site shows the GSA was the technical contact for .gov as recently as October 29.

VeriSign certainly kept this contract win quiet.

At least, the first I heard about it was tonight, in an email VeriSign sent to the dns-ops mailing list, asking DNS administrators to reconfigure their DNSSEC set-up to reflect the change.

A KSK [Key Signing Key] roll for the .gov zone will occur at the end of January, 2011. This key change is necessitated by a registry operator transition: VeriSign has been selected by the U.S. General Services Administration (GSA) to operate the domain name registry for .gov.

The email expresses the urgency of making the changes, which are apparently needed in part because .gov was signed with DNSSEC before the root zone was signed, and some resolvers may be configured to use .gov as a “trust anchor” instead of the root.

The .gov TLD is reserved for the exclusive use of US federal and state government departments and agencies.

It’s certainly a prestige contract for VeriSign.

This appears to be the GSA page awarding the contract to VeriSign, in September, following an RFP. It’s valued at $3,325,000.