Moderator: Matthew Prince, Co-Founder & CEO, Cloudflare

MP: You wrote all this stuff; why is the internet so broken?

PM: People complain about security flaws, but there is no security in original design of dns. I think of it that we haven’t had the right investment in rebuilding the infrastructure.

Original stuff was only good for 10 years, but we’ve been using it for 30.

DC: The fact that we were able to get packets from one machine to another in the early days was astonishing in itself.

MP: So what are you worried about in terms of Internet infrastructure that we aren’t even thinking about?

PM: i’m worried about the fact that a lot of places like the IETF are very incremental in their thinking, and that people aren’t willing to take the next big jump. E.g. hesitancy to adopt blockchain

Being able to experiment and try new stuff is important.

The idea that you can't change anything because it will affect the security and stability of the internet. we need to weigh benefits and risks or we will eventually die of old age.

DC: Typically, security of routing system. There are people out there who might route stuff inappropriately. I’m not confident about some solutions that have been proposed.The complexity of the system is starting to bite us pretty hard.

Also, more so, I worry about ability of bad poeple to redirect cannons at any service or target. Way too easy to overwhelm anything in the infrastructure.

MP: So if a lot of this is about being stuck in the incremental world and not making inventions, is it getting worse or better? Is there any hope?

PM: Some of it is more basic technology. Stevie Wonder said that when you believe in things you don’t understand, then you suffer. We need to think about routing as a computational problem with bilateral or multilateral agreements. And people can control their destiny a little bit more.

It’s also a competitive marketplace.

Think about using tech so people can update the agreements that they have

MP: But how do you move things forward, given incrementalism? What is path to actually replace dns with blockchain? Do we need to move away from bottom-up internet governance?

PM: I don’t know exactly how you do it.. It's the case that organizations have gotten big enough that they can make their own custom equipment. The software has always defined the network. So how can you have interfaces to allow collaboration with as much control and reliability as you’d like?

I think the next frontier is to think about ways to do distributed synchronization contracts. Coordinating addresses and names by your own tools. We need more investment in the capabilities of the infrastructure.

DC: I agree; we have reached stage of semi-equilibrium w standards, resulting in ossification of underlying infrastructure. This also permits thinking outside box. After awhile, people will get tired of the proprietary stuff and start another round of standardization. It’s a cycle.E.g. DNS over HTTP

There have been increasing calls for standardization corporations to formulate a standard way of doing these things.

The other problem is that you start getting vested interests who don’t want progress; they like the niche that they’ve developed for themselves. And they like revenue streams.The cycle of disruption and equilibrium will continue. The IETF is struggling to understand how it will remain relevant moving forward in a way that allows for disruptive technologies t come in and change the underlying game.

MP: Related to internet governance debate, what do you saw to Ted Cruz when he says US gave up control of internet? Does he have a point?

DC: NO. Fundamentally, internet is network of networks. You can get into questions at a point about what happens when an app reaches critical mass; does it have regularity implications. By and large, internet has no mechanisms of control.

MP: it seemed like the internet was working okay before, why did the US stroke the provision that says we can go in and potentially veto what ICAN was doingWhat was rationale?

DC: Part of it was misunderstanding. The primary role of US govt was to make sure ICANN didn’t do something stupid. And after 12 years of not having anything stupid happen, they realized that not doing anything to the root zone was causing a lot of political problems internationally. So they decided to let the contract expire.

MP: There was/is real risk that the internet gets governed by a much more political organization that would transform the way the internet is governed to a top-down organization. Unlike what Cruz says, the move by the last administration to say they wouldn't be able to control the internet anymore was a brilliant political move.

DC: Alternative to Cruz’s approach is fragmented internet, with national networks connected with gateways.And that has implications with regards to the ability of internet organizations to reach markets they would like to reach

MP: Can we avoid that? Can we have a non-fragmented internet? I’m less sure that this is the case today vs. 4 years ago.

PM: the internet has cracks in it today. The only real issue is how fragmented is it gonna get. When i was visited china once, at the local hotel you had open internet, but only for westerners who happens to be visiting. It is going to fragment, political people will press their agenda.

I wish i could make a deal with the US government where i could say, okay you can have my data but you should be protecting me from other people. Negotiations are going to continue.

MP: is there something technically that you wish you had done in the design that would have better resisted that fragmenting?

PM: when I was at ICAN, people were saying that the US govt should not be control of all of this; and that was a great attitude, but the US govt can be persuasive. There will be different shades. You can’t expect people to think that the internet isn’t part of the regular world. It is. So regular rules will be applied to it.

MP: what’s changed? Do you feel less idealistic and optimistic, or have you always been pessimistic?

PM: My message is: should i look at telegram or signal? I can’t do anything about the US govt, but i want to protect my privacy from commercial organizations. To me it’s more that we have ot think about being more aggressive about thinking about protecting our privacy ourselves. But we should be asking the govt to protect us and not just the storehouse holding all our conversations.

Until we make security user-friendly, we won’t use it as much, and then it won’t protect us.

DC: the technology for filtering, for blocking moves with other technologies. And it’s getting better over time. I'm not particularly optimistic but i think that ultimately the network derives value from the number of people who connect to it. Once you filter or block significant parts of internet, it begins to lose value.

There is an effort to try to protect the data that is being transferred. Ther ewill be on-path taps and data taps, but ultimately the value that the internet brings will provide a way to ensure the infrastructure continues to operate. There will be islands and gateways, but when GDP start depending on connectivity, that sends a signal to govts.

MP: a lot of the world that looked to the US for internet leadership, they see where growth is coming from, and that is China.

DC: China has imposed strict control of info, but look at europe and india which are more open:

But you also look at Europe and India and other places moving toward a more open regime focused on privacy. It is unfortunate that the US is stepping back from the leading role that they had.

PM: this whole business about filtering being harmful is not where we are today. Is there anyone in the audience who doesn't want to use anti-spam on email?

MP: but that’s your decision, not the govt’s.

PM” reputation filtering is my first line of defense. The fact that filtering is good tech doesn’t mean it can’t be used for bad or good. We should be worried about sharpening that up rather than worrying about censorship.

One question i always want to ask is: is email routing more secure than PGP? If you connect me to a billion more people, i don’t have time to talk to them.

MP: but if there’s the opportunity to talk to one, isnt; there some value?

PM: being selective about who you connect to… why would you talk to some unknown person if you wouldn’t go to a restaurant without looking at reviews?

Q&A:

Q: you talked about fragmentation; when will great firewall of china have adverse effect on chinese government? When will cracks start to reappear in that?

DC: Depending on who you talk to, the great firewall of china is either the best thing that god has created or it is already impacting the ability of chinese companies to work in a global market.

Because there is so much potential for growth in china, control is winning. But as soon as chinese organizations look for larger markets, you’ll start to see changes in the way that firewall is operating

MP: When we travel over there, the lack of ability to run a google search and find code that you need, that is something that engineers on the ground in China complain about today. If chinese companies were to stop thinking about their market being only inside china. Think snapchat. The country will start to look more outward.

PM: The jury is still out. Darwin isn’t necessarily in favor of liberalism. Be comforted by specific examples like market access. But there is still reason to be scared.

MP: Ok, final question - Bitcoin @ $4,500 or IPv4 addresses @ $12.00 - what is better investment?

DC: IPv4

All our sessions will be streamed live! If you can't make it to Summit, here's the link: cloudflare.com/summit17

In this blog, we’ll introduce a significant problem that DNS operators like CloudFlare face when trying to provide the best possible experience to our customers. If you are a CloudFlare customer, you’ll remember during the sign up process you were asked to login to your registrar account in order to change your nameservers (NS). The absence of an automated process for changing NS records not only makes our signup process one step longer than we’d like, it also prevents CloudFlare, and other 3rd party DNS operators, from doing a slew of other things that would benefit customers and the Internet as a whole.

Note: In this blog we’ll use the term DNS Operator mainly in the context of operators that provide Authoritative DNS service. This is sometimes called Managed DNS service.

For those who are not yet CloudFlare customers, let’s run through the sign up process:

When CloudFlare customers enable our DNS services for their domain, we allocate and provide them with nameservers. After the customer configures various records within their domain (e.g., A, AAAA, MX, CNAME, etc. records) on the CloudFlare system, customer’s then need to go back to their Domain Registrar and manually update their NS records so they match the NS information provided by CloudFlare. Once the NS records have been changed, CloudFlare becomes the authoritative DNS operator for that zone.

This manual process is outdated, and there is only one thing standing in the way of an automated process—the current domain industry registration model.

The domain registration system includes Registrants (Resellers and Registrars), Registries, and ICANN, and there are strict rules about how information flows through it:

Note: A full glossary of the terms used in this document is available from the ICANN website.

Notice that DNS Operators are not included in the ICANN diagram above. When this model was created, no one one thought that DNS service might be provided by someone other than Registrant and Registrar. Things have changed, but unfortunately, the system and its rules haven’t.

In nearly all cases, CloudFlare customers are using a Registrar where CloudFlare’s relationship with the customer is not explicitly expressed. The relationship can only be inferred by the NS records that point towards CloudFlare, or by the fact that nameserver addresses that are in CloudFlare address spaces. This omission of 3rd party DNS operators in the ICANN model causes operational difficulties.

Operational difficulties arise currently because the only way to find the Registrar of a domain name is to query for the “whois” information. Below is an selected output from a successful whois query:

Domain Name: CLOUDFLARE.COM ... Registrar WHOIS Server: whois.networksolutions.com Registrar URL: http://networksolutions.com ... Registrar: NETWORK SOLUTIONS, LLC. Registrar IANA ID: 2 ... Registrant Name: CloudFlare, Inc.

All domain updates (such as postal address or name server changes) go from the customer (or Registrant) to the Registrar before being sent to the Registry. As a DNS Operator, CloudFlare is separate from these R-named entities so we don’t show up in a whois query.

The difficulty is that whois information, which may contain postal addresses, telephone numbers, and/or email addresses, is designed for human consumption and human action. Because this information has historically been changed by people, there isn’t a protocol specified regarding how a DNS operator’s system can ask a registrar for changes in delegation information in an authenticated automated way.

In the current ICANN system there are roughly three classes of DNS operators. These classes are based on the ability of DNS operators to make changes in the delegating parent zone:

Registrars/Resellers—Have direct interface to the registry database, and can change information at will and instantly.

Registrant—Have a User Interface (usually web) to update information

Third Party DNS Operator—Need either the registrant to update information on its behalf, or have access to the registrants account with registrar (which is a bad security practice). In reality, DNS operators can only expect registrants to log into the account on two occasions: a. when service is moved to Operator, or b. when service is taken away from operator.

CloudFlare is advocating to gain the ability to update NS records for our customers and address records associated with them using automated channels. Our goal is to be able to add and remove nameservers from customer domains without the customer being involved.

Creating an automated process for updating NS (and DS) records would help solve the operational difficulties to providing DNS service, and would open up new possibilities for the Internet as a whole. If DNS operators had control of NS and DS records they could re-balance nameservers for stability, quickly change nameservers that go bad, and even better protect customers against DDoS attacks. Most people don’t know that when certain NS records come under heavy DDoS attack, all customers that share that nameserver might also experience a degradation in service. If those NS records could be changed quickly, we could lessen the impact on domains that are not being targeted.

Perhaps the most important reason for automating DNS operator’s access customer NS and DS records (Delegated Signer Record) is that this change would pave the way for DNSSEC implementation. DNSSEC requires maintaining DS records because they have to be inserted into the parent domain and potentially updated on a regular basis. If this record is not properly maintained, then DNSSEC validation fails, making the domain inaccessible. Presently, this is done through a web interface at the Registrar by the Registrant.

In theory, the Registrant could designate the DNS Operator as Technical Contact, but that doesn’t help unless the Technical Contact is given full access to the Registrant’s account since most Registrars don’t provide role-based access to accounts. In any case, asking our customers to update their delegation information in order to reflect the DNSSEC trust chain is problematic. One issue with this approach is that if CloudFlare were to ask hundreds of thousands of customers that own millions of domains to make manual updates to their records, there would be a huge chance of error. If records are updated incorrectly, it would not only cause frustration, it might cause the site to go down due to DNSSEC errors.

CloudFlare could try to minimize these errors by publishing CDS and or CDNSKEY records in each zone, that the registrar can pick up via DNS query and apply. But the long term solution is full automation with authorized updates to delegation information.

Some will say that the current system will work if the DNS operator is designated as Technical Contact (one of the roles defined in the ICANN model) but almost no Registrar offers a role based accounts for customers. All that does is to decrease the probability that phone call or email from Technical contact is dismissed as social engineering attack.

CloudFlare wants to team up with Registrars, Registries, and other DNS Operators to define and deploy more reliable methods for updating NS and DS records. We think this would be a big win for our customers, and, ultimately, for the internet as a whole. If you’re interested in participating in this process, you can sign up for this mailing list: dnssec-auto-ds@elists.isoc.org

One of the strangest questions I get when talking about CloudFlare is: "How are you ever going to expand your customer base beyond Silicon Valley?" The reality is that while wandering San Francisco in a CloudFlare shirt gets me an occasional high-five, I've run into almost as many users abroad as I have at home.

The United States remains CloudFlare's largest source of traffic, but China is a rapidly expanding second, Brazil third, Turkey fourth, and the Great Britain fifth. We run 14 data centers (Amsterdam is our busiest), in 8 countries, and on 3 continents. We have a Costa Rican subsidiary, in preparation for our expansion into Latin America, and are setting up a Seychelles subsidiary, in preparation for our expansion into Africa. In other words, we are already a very international company.

The web wasn't originally setup to support non-Latin alphabets. If your language used characters not represented in ASCII, up until surprisingly recently you were out of luck registering a domain. People began talking about this problem in the 1990s, but it wasn't until 2000 that .com and .net began supporting International Domain Names (IDNs). While these top level domains (TLDs) supported IDNs, browsers were slow to roll out IDNs with support only becoming wide-spread in the last 6 years. If you wanted a top level domain with a non-Latin character, it wasn't until 2010 that ICANN approved the first set.

Today, most DNS interfaces still don't support IDNs. Holders of IDNs need to convert their domains to what is known as Punycode in order to add them to most DNS. Punycodes are ASCII representations of domain names (e.g., xn--camtasia-5x3qu96nkem.com to represent camtasia教程网.com). They're a useful but ugly hack to make the Internet work on a system that never envisioned the global diversity and ubiquity it has obtained.

CloudFlare has supported Punycodes for our DNS from the beginning, but, as I said, that's an ugly hack. I'm happy to announce that, as of today, we now support IDNs directly in our interface. If you've previously entered your domain using a Punycode, you should now see your domain displayed correctly in its native characters. And if you enter a domain in non-Latin characters, we handle all the backend conversion to make it work gracefully with the global DNS infrastructure.

We've also added more support throughout our UI for non-Latin characters. In the past, we were overly restrictive on requiring Latin characters in many of the forms on our site. We've upgraded our UI site wide to add support for the whole UTF8 character set.

CloudFlare is already a global company, and I'm proud that we're now more fully supporting the world's languages and character sets. In other words, if you're looking for a DNS provider for an International domain name, you're welcome here.