How do I set up my .gov account with Google Authenticator?
In order to set up 2-step verification, you will need to use an authentication app to generate security codes. DotGov will only provide customer support for Google Authenticator, but any application that implements the time-based one-time password (TOTP) standard will also work.

Here’s how to set up 2-step verification with Google Authenticator:

  1. Download the Google Authenticator app (Android, iOS) on your mobile device. (Note that your organization might have rules about whether this app can be on your personal or work device.)
  2. On your computer, log in to the .gov registrar at https://domains.dotgov.gov.
  3. Once logged in, click on Account in the left navigation, then select Setup 2-step Verification.
  4. Open the Authenticator app on your device and select Begin Setup (or + if you’ve used the app before), then tap Scan Barcode, and point your device’s camera at the QR code on the screen. You should see an entry for the .gov Registrar added in Authenticator.
  5. Type the six-digit code displayed on your device in the One time password field.

Your account now has 2-step verification enabled! From now on, after you log in with your password, you will need to enter the six-digit code from your authentication app.

Who does this change affect?
All user accounts will be required to use 2-step verification. If any of your domain points of contact (POC) are unable to use an authentication app, you will need to assign a new point of contact.

What is an authentication app?

Authentication apps generate security codes for signing in to sites that require a high level of security. You can use these apps to get security codes even if you don’t have an internet connection or mobile service. A mobile phone app is the typical example of an authentication app, but other forms exist, including applications for desktops, browser extensions, and physical hardware.

Any application that implements the time-based one-time password (TOTP) standard and can use a QR code or accept a manually entered key will also work. DotGov will only provide customer support for Google Authenticator mobile applications.

After installing and configuring the application to work with the registrar, you will be able to receive security codes for your account. Some options for authentication apps include:

  1. Android options: Google Authenticator, 1Password, Authy, LastPass
  2. iOS options: Google Authenticator, 1Password, Authy, LastPass
  3. macOS apps: 1Password, OTP Manager
  4. Windows apps: 1Password, OTP Manager
  5. Chrome extensions: Authenticator
  6. TOTP hardware: Protectimus Slim mini, Token2 miniOTP-1

Is there a cost for an authentication app?
Google Authenticator is free to download, and is the only application that DotGov will field customer support for. Other apps may have a cost.

I do not have a smartphone. What other options do I have?
All users are required to use 2-step verification. If you are unable to use a smartphone, you should explore other authentication app options available, but note that we will only field customer support for Google Authenticator.

Do authentication apps need an internet connection to function?
No. An internet connection is required to download an app (like Google Authenticator), but using it does not require an active connection.

I have a new phone. How do I switch devices?
If you have the old phone, log in to your account, click on Account, then select Update 2-step verification.

If you’re updating 2-step verification to a new device and you have access to the old one, consider deleting the old device’s “.gov Registrar” entry so you aren’t confused in the future.

I’ve lost my phone! How do get back in to my account?
If you are unable to access your device, you should contact the .gov Help Desk at registrar@dotgov.gov or 1-877-734-4688.

I have a question that isn’t listed. Whom should I contact?
Contact the .gov Help Desk for additional support at registrar@dotgov.gov or 1-877-734-4688.

back to top  

Accounts and Point(s) of Contact (POC)

What is a POC?
A POC serves as a contact on a domain. There are three types: Billing, Technical, and Administrator. 

Can one person serve as multiple POCs on a single domain?
No. All POCs on a domain must be unique to prevent a single point of failure. Each domain will require three (3) distinct POCs before submitting a request for approval or before submitting a renewal payment.

Can one person serve as a POC on multiple domains?

One of the POCs is no longer the right person to help manage a domain. We need to remove him/her. How do I do that?
If you are a POC on a domain that is undergoing the request process, you may update the POC with another. However, please ensure that you are selecting an existing user. If you are unable to update a POC with an existing user, please contact the Help Desk.

To change a single POC on the account, the Administrative POC will need to send an email to registrar@dotgov.gov, and request the change of POC. If the new POC already has an account on the system, please provide the Username for the account and which POC the user will replace. If the new POC does not currently have an account, please send the name and contact information to registrar@dotgov.gov so an account can be set up for them. For federal level domains, the email must come from a Government employee.

If all three POCs have left the domain, the Authorizing Authority must assign 3 more POCs in a new authorization letter.

The Guidelines for the Gov Domain section 1, h., states:

It is the registrant’s responsibility to provide all requested information and keep all account information current, to include POC information, DNS information and ensure the account is paid in full each year. Government domains / websites can be very large, complex and support important business operations. The process to address policy violations will allow for coordination across organizational boundaries and involve persons with the authority to make decisions on the appropriate course of action and in the time frame required.  The Administrative POC is the person who controls the content and is the manager of the operations of the domain.  The Technical POC is the person that operates the DNS and takes care of technical operations such as security patches, programming, etc. The Billing POC is the person that pays for the domain. The Authorizing Authority (AA) is the highest IT official or highest elected official that authorizes the domain to operate and contain information reference to their government responsibilities. The AA for Federal Agency domains is the CIO. The AA for State level domains is the Governor or their appointed CIO. The AA for local governments and Native Sovereign Nations is the highest elected official or the highest IT official.  

back to top  

How do I reset my password?
If you do not recall your password, please contact the Help Desk and a temporary password will be generated for you. You will be prompted to change your password for security protocols.

How quickly will modifications to my domain propagate throughout the Internet?
Propagation depends on a variety of factors, such as caching and connectivity, the changes are usually effective by the next morning.

What are the steps that should be taken to remove a domain and delete it from the .gov system?
Only a registered POC on a domain may request deletion of a domain by sending an email to the .GOV Registrar at registrar@dotgov.gov. In addition to requesting the domain to be deleted, the domain owner should request the resource records for that domain to be removed from the zone file on the nameservers hosting the domain.

Why won't my domain work after updating the registration with actual name servers?
Adding name servers to a reserved domain does not change its status from reserved to active if other requirements are pending. You are permitted to reserve a domain for up to 90 days, giving you time to submit all of the required registration information.

If the name server information is the only remaining information required for registration, it will take approximately 1 to 2 days following receipt of valid name server data for .gov Domain Registration Services to activate your domain. Expect an additional 1 to 2 days for the update to propagate across the Internet.

Where can I get a list of domains that are up for renewal?
From the Home Tab click on Fees.

How do I transfer ownership of a domain name from one organization to another organization (such as from one agency to another agency)?
To transfer ownership of a domain name from one agency to another agency, two letters must be submitted to the .Gov Domain Manager - one from the transferring agency and one from the accepting agency.

The letter from the transferring agency must be on official agency letterhead and signed by the transferring agency chief information officer (CIO). The letter should formally request that the domain name be transferred to the new agency and should include the following information:

  • Both agency names (transferring agency and accepting agency)
  • Domain name to be transferred
  • Current POC(s) and phone number(s) (for the transferring agency)
  • New POC(s) and phone number(s) (for the accepting agency).

The letter from the accepting agency must be on official agency letterhead and must be signed by the accepting agency CIO. 

This letter must specify the request for ownership of the domain name and should include the following information:

  • Both agency names (transferring agency and accepting agency)
  • Domain name to be transferred
  • Current POC(s) and phone number(s) (for the transferring agency)
  • New POC(s) and phone number(s) (for the accepting agency) and
  • New domain name server (DNS) information.

Request letters should be faxed to the attention of the .Gov Domain Manager, at (540) 301-0160 or email a digital copy to registrar@dotgov.gov . After the .Gov Domain Manager has received and verified both letters, the .Gov Domain Registration database will be updated to reflect the transfer.

back to top

What are current registration fees?
The current cost of a .gov domain name is $400 per year.

How often do I need to renew my domain name?

Domain name(s) must be renewed annually. POCs are sent renewal reminder emails at various intervals. Please note that if your domain names are not kept current, they will be removed from active status. If any of your .Gov domain name(s) are removed from active status, any services attached to such domain name(s) may experience issues.

What is the form of payment for .gov domain names?
The only form of payment that is accepted is credit cards. We do not accept any other form of payment.

What happens if I do not renew my domain name?
If a renewal payment is not submitted, domain name(s) do not automatically get removed from the zone. If you do not wish to renew, a registered POC must submit written consent requesting removal of the domain, otherwise, the agency will be held financially responsible for registration fees under Final Rule - 41 CFR Part 102-173.35 and Final Rule - 41 CFR Part 102-173.40 . Written consent can be emailed to the Help Desk at registrar@dotgov.gov

What happens if I fail to submit a payment?
Failure to submit payment does not result in removal of your domain. The entity or agency will be held financially responsible for all accrued registration fees under Final Rule - 41 CFR Part 102-173.35 and Final Rule - 41 CFR Part 102-173.40. Your entity or agency will not be able to acquire new domains until your account is up to date. If you wish to delete your domain, a registered POC must submit written consent requesting deletion to the Help Desk at registrar@dotgov.gov.

back to top

Why can I not access systems within my domain, but people outside can?
To speed up the entire DNS process, name servers will temporarily store IP addresses that they have found. This means that if someone in the office next to you visits www.dotgov.gov and then you visit the site shortly afterwards, you receive the IP address from the local, temporary storage rather than through the root servers. If you or your ISP's local name server is not "expiring" this temporary storage (called a cache), you could be getting incorrect IP addresses while people connected through different ISPs are getting the correct information. Please contact your ISP or local technical support for assistance.

Where do I look for the authoritative .gov zone data?
The root servers (e.g., a.root-server.net - j.root-server.net) are the authoritative source of .gov information that is "live" on the Internet.
back to top

What are the hours of operations for the Registration Help Desk?
The Registration Help Desk is open on U.S. government working days from 9 a.m. to 5 p.m. Eastern and 24/7 for emergencies.

back to top  

What is the Cloud Signing Service?
The Cloud Signing Service eliminates many of the administrative burdens of the technical DNSSEC signing and management process. The service performs the initial cryptographic signing, the regular re-signing of zone resource records and the ongoing management of key rollover schedules and the associated zone re-signing. Please note that this service will no longer be offered as of September 30, 2017.

back to top  

Domain HTTP Strict Transport Security (HSTS) Automatic Preloading
What is HTTPS and why is it important?
HTTPS is a protocol that gives users a level of security and privacy when connecting to websites and web services

The internet’s fundamental design means that both visitors and website owners have very little control over where communications will travel, or whose devices will carry that communication. To ensure secure communication across the internet, traffic must be encrypted all the way from visitors’ devices to the website owners’ devices -- and that’s exactly what HTTPS does. Without HTTPS, hostile networks can inject malware or tracking beacons, or otherwise monitor or change visitor interactions online.

Without HTTPS, website visitors have no guarantees about what happens as they browse the web. Without HTTPS, a visitor’s communication with a website can be modified or monitored by anyone or anything “between” them and the website they’re visiting. The attacker could be someone using that coffee shop WiFi (or the coffee shop itself), or it could be someone who’s hacked an old, out-of-date load balancer which website traffic is flowing through on its way around the internet. 

What is HSTS/HTTPS preloading?
Today, web browsers allow websites to be “preloaded” as HSTS-only. This means that web browsers will always use HTTPS to connect with those websites. For example, “whitehouse.gov” has been preloaded into all major web browsers. If you type “whitehouse.gov” into your browser and hit “Enter,” or click on a link without https in the protocol, your browser knows to connect to https://whitehouse.gov instead of http://whitehouse.gov, even though you didn’t specifically tell it to. The same thing happens if you go to a subdomain of whitehouse.gov, like petitions.whitehouse.gov. 

By preloading “whitehouse.gov”, the White House has ensured that browsers will always make secure HTTPS connections to all of its websites.

Will automatic preloading affect all .Gov domains?
No. ALL the following criteria must be met for domains (and associated websites) to be affected:

  • The .Gov domain belongs to an agency of the Federal Government’s Executive branch; AND
  • The .Gov domain was registered for the first time on a date after May 15, 2017; AND
  • The .Gov domain is on the preload list.

Will automatic preloading affect non-Executive branch federal domains and websites?
No. If a .gov domain belongs to the federal government’s Legislative or Judicial branches, it will not be affected by HTTPS preloading.

Will automatic preloading affect state or local government, or Native tribe domains and websites?
No. If a .Gov domain belongs to a native tribe, a state, or a local government entity, it will not be affected by HTTPS preloading.

Will automatic preloading affect existing (registered BEFORE May 15, 2017) Executive branch federal .gov domains and websites?
No. If a .Gov domain was registered before May 15, 2017, it will not be affected by the HTTPS preloading. 

Note: It’s possible for any .Gov domain owner to preload their own domain. Some domains not meeting the above criteria have been preloaded through the domain owner’s direct action, and could be affected. This service only applies to identifying domains preloaded through the DotGov’s Program team action, rather than the domain owner’s action.

See below to learn how to verify whether a domain has been preloaded.

How will HSTS preloading affect .Gov domain visitors?

If a .Gov domain is affected and preloaded, any websites hosted on that domain or any of its subdomains will be affected in the following two ways:

  1. Supporting web browsers will automatically redirect HTTP requests to the HTTPS version of the same URL, for any URL on that domain or its subdomains.
    • To illustrate, if “example.gov” is preloaded, then attempting to visit http://example.gov/about/ will redirect the user to https://example.gov/about/.
    • Similarly, attempting to visit http://history.example.gov/faq/ will redirect the user to https://history.example.gov/faq/.
    • This will happen no matter how the domain owner has configured their web server. In fact, this will happen even if the domain owner has no web server configured at all.
  2. Supporting web browsers will NOT allow website visitors to click through any certificate warnings a user might encounter on a website on the affected .Gov domain or any of its subdomains. This means that affected domain owners must treat a certificate configuration issue as equivalent to downtime. Visitors cannot be asked to click through certificate warnings to use the website.

How can I verify whether a .Gov domain is preloaded?
To verify whether a domain is being affected by HSTS preloading:

  1. Check Chrome’s HSTS Preload list form at https://hstspreload.org. Enter the domain and click “Check status and eligibility.” For example, if you enter “whitehouse.gov” you’ll get a message saying “Status: whitehouse.gov is currently preloaded.”
  2. View the Chrome source code at https://chromium.googlesource.com/chromium/src/net/+/refs/heads/master/http/transport_security_state_static.json . This is a large file and is in JSON form, but is the authoritative source of whether the domain is preloaded in Chrome. Other browsers pull from this list as well, so it should be valid for browsers other than just Chrome.
How should I address web certificate issues that could prevent visitors from viewing web content?

If visitors experience certificate issues on a website the agency intends for public use, and that domain is affected by preloading, then the federal agency must take action to fix the issue. Visitors will not be able to “click through” the certificate warning.

Common certificate issues include:

  • The certificate has “expired.” Certificates are valid for a certain length of time from issuance, and once they expire they will no longer be trusted by web browsers.
    • Solution: Renew and redeploy the certificate.
  • The certificate is served with an incomplete certificate chain. This issue can be difficult for non-technical visitors to diagnose, and may appear to affected visitors as if the certificate is not issued by a trusted authority (Note: only some visitors may be affected -- for example, this commonly affects mobile visitors but not desktop visitors).
  • The certificate is not valid for the given domain name. Certificates are only valid for the exact specific domain name shown in the URL bar.
    • Solution: The agency must issue a new certificate valid for that domain name, or reissue an existing certificate to add the domain name to its list of valid domain names. Examples of this include:
      • A certificate valid for “example.gov” will not work for https://history.example.gov.
      • A certificate valid for “example.gov” will not work for https://www.example.gov.
      • A certificate valid for “www.example.gov” will not work for https://example.gov.
      • A certificate valid for “*.example.gov” will not work for https://example.gov. (This certificate  will be valid for https://www.example.gov).
  • The certificate is not issued by a trusted authority. Visitors use browsers and operating systems that only trust a certain set of “certificate authorities,” and many visitors from the general public use browsers and operating systems that do not trust government-issued certificates. For websites that serve a public audience, agencies must use commercially issued certificates.

Where can I obtain a web certificate for my .Gov website?
To obtain new certificates, agencies should make use of any publicly trusted certificate authority. In general, these are commercial or non-profit entities, as the U.S. government does not operate a certificate authority trusted by all modern browsers.

GSA encourages .Gov domain owners to obtain low cost or free certificates. More expensive certificates generally do not offer more security value to service owners, and automatic deployment of free certificates can significantly improve service owners’ security posture.

For more information, see https://https.cio.gov/certificates/