Latest news of the domain name industry

Recent Posts

Verisign loses prestige .gov contract to Cloudflare

Kevin Murphy, January 16, 2023, Domain Registries

Cloudflare is to take over registry services for the US government’s .gov domain, ending Verisign’s 12-year run.

It seems .gov manager CISA, the Cybersecurity and Infrastructure Security Agency, opened the contract up for bidding last August and awarded it to Cloudflare in mid-December.

The deal is worth $7.2 million, Cloudflare said in a press release on Friday, which is more than twice as much as Verisign charged when it took over the .gov back-end in 2011.

But it seems the deal includes Cloudflare providing authoritative DNS for .gov domains, something Verisign does not currently provide the TLD, in addition to managing the zone file, registry, Whois, etc.

It’s not clear who’s running the exclusive .gov registrar, but CISA appears to be building a new one.

.gov domains are only available to US federal, state, tribal and local government organizations, and there was a $400-a-year fee until April 2021, when CISA made them free to register.

There are about 8,600 .gov domains today. Not a lot, but the deal comes with bragging rights.

CISA took over .gov from the General Services Administration in March 2021 and dropped the fees a month later.

It’s not clear whether Verisign had bid for a renewed contract or simply walked away, as it did when it conceded .tv to GoDaddy last year. I’ve asked the company for comment.

The loss of .gov is obviously a drop in the ocean compared to .com, which continues to make Verisign one of world’s most-profitable companies.

While it’s an ICANN-accredited registrar, I believe this is Cloudflare’s first foray into registry services. Might we see the company as an emergent threat to the established players in the next new gTLD round? It’s certainly looking that way.

.gov TLD quietly changes hands

Kevin Murphy, April 26, 2021, Domain Registries

The .gov TLD used exclusively by governmental entities in the US has quietly changed managers.

On Friday, the IANA records for .gov changed from the General Services Administration to the Cybersecurity and Infrastructure Security Agency.

It was not unexpected. CISA announced the move in March.

But it’s less clear how the change request was handled. The ICANN board of directors certainly didn’t have a formal vote on the matter. IANA has not released a redelegation report as it would with a ccTLD.

CISA intends to make .gov domains more widely available to agencies at the federal, state, city and tribal level, and reduce the price to free or almost free.

Verisign currently manages the technical aspects of the domain, for $400 per domain per year.

As .gov changes hands, would Verisign run it for free?

Kevin Murphy, March 15, 2021, Domain Registries

The .gov top-level domain is moving for the first time since 1997, and the new owner is promising some pricing changes from next year.

The US General Services Administration has been running .gov, one of the original gTLDs, for almost a quarter-century, but next month it will be taken over by the Cybersecurity and Infrastructure Security Agency.

No changes have been made at IANA yet, but CISA is talking of the handover as if it is a done deal.

It will be the first time ICANN has been asked to redelegate what is essentially an uncontracted gTLD with some of the characteristics of a ccTLD. To be honest, I’ve no idea what rules even apply here.

The move was mandated by the DOTGOV Act of 2019, which was incorporated in a recently passed US spending bill.

Legislators wanted to improve .gov’s usefulness by increasing its public profile and security.

The bill was quite adamant that .gov domains should be priced at “no cost or a negligible cost”, but there’s a catch — Verisign runs the technical infrastructure for the domain, and currently charges $400 per domain per year.

According to CISA, “The way .gov domains are priced is tied closely with the service contract to operate the TLD, and change in the price of a domain is not expected until next year.”

So we’re looking at either a contract renegotiation or a rebid.

Frankly, given the really rather generous money-printing machine the US government has granted Verisign with its perpetual right to run .com and increase its profit margins in most years, it seems to me the company should be running it for free.

The .gov zone currently has domains measured in the low thousand.

The DNS’s former overseer now has its own domain name

Kevin Murphy, March 19, 2019, Domain Policy

The National Telecommunications and Information Administration, which for many years was the instrument of the US government’s oversight of the DNS root zone, has got its first proper domain name.
It’s been operating at ntia.doc.gov forever, but today announced that it’s upgrading to the second-level ntia.gov.
The agency said the switch “will make NTIA’s site consistent with most other Department of Commerce websites”.
Staff there will also get new ntia.gov email addresses, starting from today. Their old addresses will continue to forward.
NTIA was part of the DNS root management triumvirate, along with ICANN/IANA and Verisign, until the IANA transition in 2016.
The agency still has a contractual relationship with Verisign concerning the operation of .com.

Could Verisign lose $3.3m .gov deal?

Kevin Murphy, March 17, 2015, Domain Registries

The US government has put its feelers out for information about a possible successor to Verisign as manager of the .gov TLD.
A formal Request For Information — potentially a precursor to a Request For Proposals — was was issued by the General Services Administration on March 9.
The GSA, which is the sponsor of the .gov gTLD, seems to be looking for information about all aspects of running a registry back-end and the secure dotgov.gov registrar front-end.
Those functions have been carried out by Verisign since it took them over from the GSA itself in December 2010.
Its five-year contract expires in September this year.
Because it’s restricted to US government entities, .gov is not a large gTLD — the RFI says it has about 5,000 domains and grows at about 5% a year — but it does carry a certain prestige.
It also carries a not inconsiderable fee. According to the September 2010 award page, the deal is worth $3,325,000 to Verisign.
It’s quite possible that the RFI is just a case of the US government going through the necessary motions prescribed by its procurement policies; Verisign may well be a shoo-in.
But the company’s record with .gov isn’t as great as its record with .com and .net.
In August 2013, Verisign screwed up a DNSSEC key rollover in the .gov zone, causing resolution failures on the small number of networks that rigorously enforce DNSSEC.
The deadline for RFI responses is March 23.

Verisign confirms .gov downtime, blames algorithm

Kevin Murphy, August 15, 2013, Domain Tech

Verisign this morning confirmed yesterday’s reports that the .gov top-level domain went down for some internet users due to a DNSSEC problem, which it said was related to an algorithm change.
In a posting to various mailing lists, Verisign principal engineer Duane Wessels said:

On the morning of August 14, a relatively small number of networks may have experienced an operational disruption related to the signing of the .gov zone. In preparation for a previously announced algorithm rollover, a software defect resulted in publishing the .gov zone signed only with DNSSEC algorithm 8 keys rather than with both algorithm 7 and 8. As a result .gov name resolution may have failed for validating recursive name servers. Upon discovery of the issue, Verisign took prompt action to restore the valid zone.
Verisign plans to proceed with the previously announced .gov algorithm rollover at the end of the month with the zone being signed with both algorithms for a period of approximately 10 days.

This clarifies that the problem was slightly different to what had been assumed yesterday.
It was related to change of the cryptographic algorithm used to create .gov’s DNSSEC keys, a relatively rare event, rather than a scheduled key rollover, which is a rather more frequent occurrence.
The problem would only have made .gov domains (and consequently web sites, email, etc) inaccessible for users of networks where DNSSEC validation is strictly enforced, which is quite small.
The US ISP with the strongest support for DNSSEC is Comcast. Since turning on its validators it has reported dozens of instances of DNSSEC failing — mostly in second-level .gov domains, where DNSSEC is mandated by US policy.
On two other occasions Comcast has blogged about the whole .gov TLD failing DNSSEC validation due to problems keeping keys up to date.
The general problem is widespread enough, and the impact severe enough, that Comcast has had to create an entirely new technology to prevent borked key rollovers making web sites go dark for its customers.
Called Negative Trust Anchors, it’s basically a Band-Aid that allows the ISP to deliberately ignore DNSSEC on a given domain while it waits for that domain’s owner to sort out its key problem.
The technology was created following the widely reported nasa.gov outage last year.
It’s really little wonder that so few organizations are interested in deploying DNSSEC today.
Yesterday’s .gov problem may have been minor, lasting only an hour or two, but had the affected TLD been .com, and had DNSSEC deployment been more widespread, everyone on the planet would have noticed.
Under ICANN contract, DNSSEC is mandatory for new gTLDs at the top level, but not the second level.

Reports: .gov fails due to DNSSEC error

Kevin Murphy, August 14, 2013, Domain Tech

The .gov top-level domain suffered a DNSSEC problem today and was unavailable to some internet users, according to reports.
According to mailing lists and the SANS Internet Storm Center, it appeared that .gov rolled one of its DNSSEC keys without telling the root zone about the update.
This meant that anyone whose DNS servers do strict DNSSEC validation — a relatively small number of networks — would have been unable to access .gov web sites, email and other resources.
As a matter of policy, all second-level .gov domains have to be DNSSEC-signed.
The problem was corrected quite quickly — looks like within an hour or two — but as SANS noted, caching issues may prolong the impact.
Both .gov and the root zone are managed by Verisign, which isn’t on the best of terms with the US government at the moment.

VeriSign takes over .gov

Kevin Murphy, December 22, 2010, Domain Tech

VeriSign has taken over registry functions at .gov, the top-level domain for the US government.
IANA records show that VeriSign Global Registry Services was named technical contact for .gov possibly as recently as this Monday.
The TLD is still administratively delegated to the US General Services Administration. Google’s cache of the IANA site shows the GSA was the technical contact for .gov as recently as October 29.
VeriSign certainly kept this contract win quiet.
At least, the first I heard about it was tonight, in an email VeriSign sent to the dns-ops mailing list, asking DNS administrators to reconfigure their DNSSEC set-up to reflect the change.

A KSK [Key Signing Key] roll for the .gov zone will occur at the end of January, 2011. This key change is necessitated by a registry operator transition: VeriSign has been selected by the U.S. General Services Administration (GSA) to operate the domain name registry for .gov.

The email expresses the urgency of making the changes, which are apparently needed in part because .gov was signed with DNSSEC before the root zone was signed, and some resolvers may be configured to use .gov as a “trust anchor” instead of the root.
The .gov TLD is reserved for the exclusive use of US federal and state government departments and agencies.
It’s certainly a prestige contract for VeriSign.
This appears to be the GSA page awarding the contract to VeriSign, in September, following an RFP. It’s valued at $3,325,000.