Forgot your password?
typodupeerror
Networking Security The Internet

Comcast Migrating Customers To DNSSEC Resolvers 196

Posted by Soulskill
from the must-be-easier-to-throttle dept.
ctg1701 passes along this quote from a Comcast announcement: "Starting today we will begin migrating customers who have opted out of our Domain Helper service over to our production DNSSEC-validating servers. This will happen first in a selected part of our Virginia network, and will later expand to all markets in the following sixty days, at which point all of our customers who have opted out of Domain Helper will be migrated. After this has been completed, we will migrate the rest of our customers, which we anticipate will stretch into the early part of 2011."
This discussion has been archived. No new comments can be posted.

Comcast Migrating Customers To DNSSEC Resolvers

Comments Filter:
  • For those of us on Comcast, what does this mean?

    Whenever I am offered the opportunity to opt out of something by a company, I know it's probably a good idea to opt out.

    Also, I've had very flaky internet service the past week or so, although I am not in this market (Minneapolis area). My equipment all seems to work fine, and of course there could be any number of causes, but this seems interesting.
    • by Entropius (188861)

      My parents have had intermittent connectivity in Alabama these last few days, which is a Big Deal since they have Vonage for phone service. Comcast blames it on the analog-digital switchover, which is horseshit.

    • Re: (Score:3, Informative)

      by AdmiralXyz (1378985)
      If you haven't opted out of Domain Helper ("helpfully" redirecting your 404's to advertising), it doesn't mean anything yet. If you are, it means your DNS lookups are going to be done over a secure channel, which in theory makes it much more difficult to perform DNS redirection attacks (where you look up www.google.com but a hiacking means that you get back the IP address for http://ebay.spamwarezdeath.ru./ [ebay.spamwarezdeath.ru] In short, it's a Good Thing ;)
      • Re: (Score:3, Insightful)

        by popeye44 (929152)

        Which I am assuming matters not a whit to those of us using OpenDNS.

        I've been extremely happy with Opendns so far. "and entirely unhappy with Comcast's opt-out method"

    • Re:What is this? (Score:5, Informative)

      by ctg1701 (311736) on Monday October 18, 2010 @05:55PM (#33939372)

      For those of us on Comcast, what does this mean?

      Whenever I am offered the opportunity to opt out of something by a company, I know it's probably a good idea to opt out.

      Also, I've had very flaky internet service the past week or so, although I am not in this market (Minneapolis area). My equipment all seems to work fine, and of course there could be any number of causes, but this seems interesting.

      DNSSEC security is an Internet standard and it means that we are enabling it for our domains and will validate others once it is rolled out globally. I suggest you read through http://www.dnssec.comcast.net/faq.htm which explains why we are rolling this out and what it means for our customers.

      Thanks

      Chris
      Comcast

    • by ZorinLynx (31751)

      One of the inherent problems with cable internet is that it's a shared medium. One bad fitting, or a customer with malfunctioning equipment can ruin the experience for EVERYONE on the node. And in some systems you can have thousands of customers on one node.

      It's irritating that cable and DSL are the only options here, and DSL is from AT&T who refuses to provide anything faster than 6000/512k around here. I've been lucky so far on Comcast with my 16000/2000k business connection, but I just know that ther

    • by nurb432 (527695)

      The way it sounds, opt-out is only for the short term anyway.

      But i also wonder what practical issues its going to cause me on a daily basis.

  • domain helper? (Score:3, Informative)

    by bhcompy (1877290) on Monday October 18, 2010 @05:41PM (#33939194)
    Domain helper.. is that the crap that automatically relocates you to some ad serving search website when you input an unrecognized dns in the web browser? That kind of crap is why I switched to 4.1.1.1
    • Re:domain helper? (Score:5, Informative)

      by ctg1701 (311736) on Monday October 18, 2010 @05:59PM (#33939416)

      Domain helper.. is that the crap that automatically relocates you to some ad serving search website when you input an unrecognized dns in the web browser? That kind of crap is why I switched to 4.1.1.1

      We will be disabling Domain Helper on our recursive resolvers and you will also get DNSSEC validation by using our Anycast resolvers. There is no redirection and you will also get the protections enabled by DNSSEC.

      Thanks

      Chris
      Comcast

      • by jonwil (467024)

        Good to see at least one ISP realizing that returning anything other than NXDOMAIN for non-existant domains is a VERY bad idea. I hope other ISPs (and DNS providers and registrars) see sense and disable their wildcarding.

        Doesn't make Comcast any less evil though (they wont stop being evil until they stop messing with BitTorrent, stop fighting any efforts to create competitors in their areas and adopt the principles of Net Neutrality)

      • Would you mind commenting on why, over 9 years at several different Comcast-served residences, using DHCP in my routers to get and forward DNS server numbers to my systems has resulted in extremely slow lookups? I'm talking easily 5+ seconds per lookup with some complex web pages taking more than a minute to load.

        I never had this problem with Verizon or Charter. The only solution for getting decent DNS performance on Comcast has been to use non-Comcast servers.

    • by jecowa (1152159)
      I use 4.2.2.1-6. It's twice as fast as my ISP's default DNS server and has no ads.
      • by fyrewulff (702920)

        Weren't they talking about restricting it to their customers though (I believe 4.1.1.x is owned by Level3). Or did they change their mind on that?

  • by cobrausn (1915176) on Monday October 18, 2010 @05:45PM (#33939244)
    Had no idea what it was either until I read this. http://blogs.techrepublic.com.com/networking/?p=234 [com.com]
  • This is a GOOD thing (Score:3, Informative)

    by Anonymous Coward on Monday October 18, 2010 @06:00PM (#33939434)

    I've been using these months while they've been available for testing. The very nature of DNSSEC kills the 404 helper service, and provides an extra level of security. For anyone that wants to use them now without being migrated automatically someday, just use 75.75.75.75 and 75.75.76.76 for the DNS.

    • Re: (Score:2, Interesting)

      by ctg1701 (311736)

      I've been using these months while they've been available for testing. The very nature of DNSSEC kills the 404 helper service, and provides an extra level of security. For anyone that wants to use them now without being migrated automatically someday, just use 75.75.75.75 and 75.75.76.76 for the DNS.

      Absolutely correct, and hopefully people realize that we want to make your Internet service a better and safer experience.

  • by Anonymous Coward on Monday October 18, 2010 @06:09PM (#33939534)
    Am I tired already? I read that title as "Revolvers", and I wondered what the hell Comcast was doing selling handguns to people. For about thirty seconds. Then I wondered what the hell a "DNSSEC" revolver was for another thirty seconds. Then I smacked myself, re-read the thread title, and decided to make this utterly pointless post.

    Sleep deprivation is a wonderful thing...
  • I'm a Comcast subscriber and have had problems with DNS resolution. Just changed to the new DNS servers and magically it is about twenty times faster.
  • I switched from Comcast to Cricket because the Comcast service was so unreliable. In the end, they could not even get a TV signal through reliably. But that is another story. What I notice though is that even when Comcast was working up to advertised speed, the name server delays were really bad. So, even with lower bandwidth, Cricket seems faster because their name servers work. Hope this move by Comcast makes an improvement.
  • After reading their FAQ [comcast.net], looks like Comcast is doing the right thing and also admitting the DNS Redirector/Helper wasn't the right solution.

    Are customers who have opted in to or out of Comcast Domain Helper impacted by this?

    * When DNSSEC is deployed on all of our DNS servers, the web error redirect function at the core of Comcast Domain Helper will be disabled, as this is not technically compatible with DNSSEC.
    * Customers that have opted out of Domai

  • I'm in a Chicago suburb and got this today:

    This is a courtesy email to let you know that Comcast's DNS servers are changing to servers that use DNS Security Extensions (DNSSEC), as part of an evolving suite of security protections that are part of Comcast Constant Guard. These changes, which have started today in some markets, will be completed within the next sixty days or so. You do not need to take any action and you should not notice any changes to your service, though behind-the-scenes your service wil

  • So your choice is a Comcraptic DNSSEC testbed, or targeted ads?

    While I am forced (alternatives are 5 times slower or 10x as expensive for the same speed) to connect through Comcast, I run my own DNS server -- I wonder how long that will be allowed.

    Comcast is so messed up, though the US broadband as a whole is messed up and getting worse...wonder time to live in the US, in it's twilight years...

The clearest way into the Universe is through a forest wilderness. -- John Muir

Working...