Comcast DNSSEC Goes Live

An anonymous reader writes "In a blog post, Comcast's Jason Livingood has announced that Comcast has signed all of its (5000+) domains in addition to having all of its customers using DNSSEC-validating resolvers. He adds, 'Now that nearly 20 million households in the U.S. are able to use DNSSEC, we feel it is an important time to urge major domain owners, especially commerce and banking-related sites, to begin signing their domain names.'"

Just in time

[Anonymous Coward]

There won't be much point to this if SOPA / PIPA passes, requires DNS redirects, and bans circumvention.

Re:

[girlintraining]

Only DNS that is signed by your government overlords will be allowed. All other DNS will be shot, banninated from the internets, and subject to prosecution.

There. DNSSEC has a point now with SOPA. :)

Re:Just in time

[ImprovOmega]

Signed, not encrypted. It's designed to protect data integrity, not confidentiality. It stops spoofing attacks basically, so that a rogue group can't redirect traffic intended for bofa.com, for example, to their own servers to do whatever evil with.

Re:

[shentino]

Can't the feds just order the registry to nuke the master record?

Re:

[Phreakiture]

Only if the registry is in the US. Mine is in the Cayman Islands.

DNSSEC

[girlintraining]

Yes, and for our next trick, we're going to disable end-users' ability to do their own DNS lookups to only our servers -or- selectively deny DNS lookups that have a destination outside the United States. You know... to stop people from getting around SOPA and other anti-piracy measures. YAY DNSSEC! /sarcasm.

Re:

[StikyPad]

SOPA breaks DNSSEC -- that's one of its main problems from a technological perspective. And there's no way to prevent someone from using another DNS server, or just a hosts file.

Re:

[girlintraining]

SOPA breaks DNSSEC -- that's one of its main problems from a technological perspective.

I hear this argument all the time. "Now we've got Criminal X! .. Oh wait, he's encrypted his drive with 1024 bit military grade encryption! It'll cost BILLIONS to crack the key! We're hosed." ... More likely it's "Huh. Drive's encrypted. Joey, get the hose."

DNSSEC is no proof against the men with shotguns and a court order saying "You will remove this domain from your server... or else."

If anything, DNSSEC makes SOPA more powerful because I can't just setup a rogue DNS server, change it to authoritative f

Re:DNSSEC

[Anthony Mouse]

I hear this argument all the time. "Now we've got Criminal X! .. Oh wait, he's encrypted his drive with 1024 bit military grade encryption! It'll cost BILLIONS to crack the key! We're hosed." ... More likely it's "Huh. Drive's encrypted. Joey, get the hose."

1) That is not even close to the same argument as the one being made.
2) "Getting the hose" is unconstitutional. It may be that law enforcement does not see fit to follow the constitution, but in that case they have no need for the hose: They can just lock you up on false charges without ever reading the disk.

DNSSEC is no proof against the men with shotguns and a court order saying "You will remove this domain from your server... or else."

Removing the domain would break DNSSEC, since the removal would not be signed and the signing entity may not be subject to US jurisdiction (or may refuse on first amendment grounds etc.)

More than that, the user can trivially work around the removal of the DNS entry merely by using a DNS server in another country. Effectively preventing the user from communicating with servers in other countries would severely break the internet, which is part of the problem that people are concerned about.

Re:

[girlintraining]

2) "Getting the hose" is unconstitutional. It may be that law enforcement does not see fit to follow the constitution, but in that case they have no need for the hose: They can just lock you up on false charges without ever reading the disk.

No, haven't you heard? They're making legislation now to just have an ex-parte hearing and declare your citizenship void because you are "hostile" to the United States. Constitutional rights are only for US citizens, don'tchaknow.

Re:

[mrchaotica]

Constitutional rights are only for US citizens, don'tchaknow.

Except they're not... not that the Powers That Be would care.

Plead the 14th

[tepples]

They're making legislation now to just have an ex-parte hearing and declare your citizenship void because you are "hostile" to the United States.

That would take two-thirds of both houses and three-fourths of the states because as I understand it, the Fourteenth Amendment locks in the citizenship of anyone born here.

Re:

[rubycodez]

they already can imprison you indefinitely or assassinate you or sexually molest you or your children "for cause", anything else being discussed is just icing on the cake for our police state

Re:

[tepples]

There is no such fraction as a "fourth".

Article V of the Constitution [archives.gov] disagrees with you: "...ratified by the Legislatures of three fourths of the several States, or by Conventions in three fourths thereof..."

Re:

[Wrath0fb0b]

DNSSEC is no proof against the men with shotguns and a court order saying "You will remove this domain from your server... or else."

Nor was it ever intended to be -- those sites (i.e. the ones within range of the Marshals) are already easy enough to deal with lawfully. The issue was when some guy in Kerbleckistan runs a server that you've got a court order against, you can't do much unless you've got the power to order DNS servers not to give out his IP or black him out of the BGs (with Marshals to back it up).

Re:

[makomk]

Guess who controls the DNSSEC trusted root key? That's right, an American organization.

Re:

[KiloByte]

there's no way to prevent someone from using another DNS server

for prot in tcp udp; do iptables -t nat -A PREROUTING -i lan0 -p $prot --dport 53 -j REDIRECT;done
Use -j DNAT if the DNS server is on another box.

Quite a bunch of ISPs do that already.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[mcrbids]

Nothing sucks balls worse that being forced to use a shitty-ass DNS lookup server hosted by a shitty-ass ISP in the middle of nowhere.

This is what we'd call a first world problem.... I can think of quite a few things more unpleasant than being forced to use a DNS server hosted out in the middle of nowhere...

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[KiloByte]

People in Egypt or Syria suffer from internet censorship just the same, and for them communication is a matter of freedom or slavery. Not a first world problem in my book.

Re:

[jon3k]

They can't outright block DNS traffic. They attempted to throttle traffic, not even block, and got their hand slapped. And when you start monkeying with traffic it gets a lot harder to fall back on Safe Harbor provisions of the DMCA, which can put them in a very precarious position.

Re:

[ftobin]

I was under the impression they were injecting TCP RST packets, not throttling. Big difference.

Re:

[KiloByte]

That's why they want to replace "merely" oppressive law with few upsides like the DMCA with something downright ridiculous that allows censorship with impunity.

Re:

[sociocapitalist]

Can do this today without DNSSEC...

SOPA and DNSSEC?

[Tynin]

I guess I'm not sure how SOPA and DNSSEC overlap, could someone explain it in a couple of sentences? Does DNSSEC hinder or help? I would assume hinder SOPA... I'm going to research more, but was hoping to get a quick brief from someone knowledged...

Re:SOPA and DNSSEC?

[girlintraining]

I guess I'm not sure how SOPA and DNSSEC overlap, could someone explain it in a couple of sentences? Does DNSSEC hinder or help? I would assume hinder SOPA... I'm going to research more, but was hoping to get a quick brief from someone knowledged...

Well, let's try a car analogy. Before DNSSEC, anyone could put up a road sign, and you'd have no way of knowing whether it would send you the right way or not. There were a few publicized cases of cars going down the wrong road, a few pileups, but most people got to/from work everyday.

However, some very smart people were worried some other smart people could swap the road signs. So they added smaller digital tags on the back of the signs that had a special number encoded in it and the name of the municipality that placed the sign there. You need a special box to tell you what it says. Not many people were keen on spending the money to impliment this, since the only people that could read the special codes were police, firefighters, and some guys riding around in black SUVs. For the majority of drivers, nothing changed.

Separately, these municipalities were threatened with lawsuits by very large companies and the government if they allowed signs to stay up on roads they didn't like, or went to places they didn't like... So they've been busy tearing down signage all over the place to appease these well-monied interests. Sometimes the signs being taken down have the little tags, but most of the time they don't. Drivers that are familiar with the area won't have a problem because they know the address and route already, but younger, and inexperienced drivers might not, and for them, these new laws could keep them from getting to those places.

Re:

[Synerg1y]

I like the analogy, it explains both SOPA & DNSSEC, but unless I'm missing something, they are not related in any relevant way, where one actually requires the other. Picture this, I go to the pirate bay, but SOPA blocks me, so I hop on a. a proxy b. a non-usa dns server. I don't need b but some people do. Now... to the point... if tpb is running dnssec and the dns server i'm on doesn't have a valid signature for tpb cert, and doesn't allow non-cert users, i'd be screwed. Except... the web admin of

Re:

[jon3k]

SOPA doesn't stop any competent person from getting to anything.

Re:SOPA and DNSSEC?

[JesseMcDonald]

The relationship is the other way around. SOPA is a law which forces ISPs and registrars within its jurisdiction to block certain DNS requests. DNSSEC is a means of signing both individual domain records and chains of domains so that you know that the domain data and/or NXDOMAIN (No Such Domain) response to your request is authentic, provided you can trust the operators of the higher-level domains up to the DNS root, or another anchor point for which you can check the key.

Assuming that TPB has a domain outside SOPA's jurisdiction, and you either have an anchor for that TLD or trust the root domain, this means that while your ISP can still refuse to give you the address for TPB's domain (with either no response or a server error), it can't supply the wrong address or claim that the domain doesn't exist, since you would immediately know that it's lying.

The operator of TPB would have to be stupid not to enable DNSSEC, if it's available for that TLD, since it serves to prevent visitors from being silently redirected to some other site. Using DNSSEC doesn't give ISPs an additional way of blocking your site; on the contrary, it makes it much more obvious when they attempt to do so.

Re:

[nullchar]

You're wrong because DNSSEC is backwards compatible. The authoritative servers can sign TPB.org tomorrow, and until people use DNSSEC-enforced DNS resolvers, it won't matter. Your regular old DNS resolver will simply ignore the RRSIG records and the signed hierarchy. Now if you're a Comcast user, you will be able to validate the response: meaning visiting TBP.org won't send you to a bogus site because the A record can't be poisoned.

Re:

[jroysdon]

You can validate all responses with no DNSSEC support in your DNS resolvers. All you need is the root zone key and verify from there down. Example: run your own BIND server with DNSSEC enabled and never use your ISP's.

Re:SOPA and DNSSEC?

[Anonymous Coward]

It's not about disabling DNSSEC. DNSSEC allows a resolver (your machine) to verify that the DNS answers it gets (from a cache, an ISP server, or wherever) are authentic records from the DNS hierarchy. Without DNSSEC you just accept whatever you're told on trust. Your ISP, or some script kiddie in Poland, can fuck with the answers and your first clue will be when TPB is just a blank page saying piracy is illegal or call Czeslaw for a good time.

The point is that DNSSEC will still tell the truth even when the government requires your ISP to lie to you. If you ask "Where is TPB?" under DNSSEC the only possible answers are "Here is the true authentic address for TPB" or "Error, someone is fucking with your DNS resolution". The US government would love the answer to be "Here is a US government web site reminding you that you are the property of Corporate America and subject to its whims" but DNSSEC rules that out. For US registries (like com) the US government can just go tell the registry operator to do what it says or go to jail. But to change the answers to the questions in non-US registries the most obvious option US government has is to put a bunch of men with guns on a helicopter, fly into another country and go break down the doors of the relevant DNS registry and insist they change the authentic records so that DNSSEC checks out OK.

Now I'm sure in the heads of the average 60-something senator voting for these measures that sounds proportionate. It's terrorists, or something, right? We're fighting a war here - the blood of patriots must flow and so on. But when you explain to a Navy seal that he's to go risk his neck so some fucker in a Hollywood corner office can afford to buy an extra yacht, that's going to stick.

Nobody is going to give that order. So if you have DNSSEC, the results of SOPA will be that you see errors every time you hit a page the government is censoring. Consider it your daily reminder that the US government works for the guy with the deepest pockets.

Re:

[shentino]

Actually, what's to stop SOPA from going after verisign and telling them to change the zone info directly?

DNSSEC only authenticates.

But it doesn't stop a legal process from changing the authoritative information itself.

Re:

[nullchar]

Exactly, SOPA DNS blocking won't be limited to recursive resolvers at ISPs, it will be implemented at the registry level. VeriSign will get the order and remove the name servers for ThePirateBay.com from the .com zone file.

ccTLDs out of USA jurisdiction

[tepples]

Actually, what's to stop SOPA from going after verisign and telling them to change the zone info directly?

The fact that the U.S. Government lacks jurisdiction to do that to offshore registries not controlled by VeriSign or any other U.S. entity, such as the many country code TLDs used in cute domain hacks [wikipedia.org].

Comcast supports SOPA

[pavon]

Given that Comcast has been more proactive about implementing DNSSEC than all the other major ISPs, I was very surprised to learn that they support SOPA [house.gov], which will make it impossible to for ISPs to implement DNSSEC. I assume that their stance is motivated by the fact that they own half of NBC, and I wonder how their engineering staff plans on handling this situation if the bill is passed.

Re:

[Captain Splendid]

and I wonder how their engineering staff plans on handling this situation if the bill is passed.

Belatedly, and with much gnashing of teeth? I mean, it's not like corporate divisions play well together...

Re:Comcast supports SOPA

[djl4570]

Here's a place to start: http://en.wikipedia.org/wiki/SOPA#Negative_impact_on_DNS.2C_DNSSEC_and_Internet_security [wikipedia.org] It's Wikipedia so verify the cites

Re:

[djl4570]

I apologize. I meant to reply to the previous post.

Re:

[Tynin]

Thanks!

Re:Comcast supports SOPA

[shentino]

DNSSEC won't prevent SOPA from being enforced.

The registries holding the authoritative records can still be compelled to change the master data they send.

Nope

[pavon]

In the case of registries outside of US jurisdiction, SOPA requires all ISPs within the US to filter domain name requests for allegedly infringing sites, when ordered by the US Attorney General.

Re:

[failedlogic]

Pfft. defeating SOPA is easy.

1. Become the US Attorney General.
2. Run your own root DNS server
???
4. Profit!!

Now, that wasn't too hard.

Re:

[azalin]

You could just replace 2. with receive "campaign funding from interested parties" and skip directly to the profit part.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[rduke15]

Not if they're in .ca, .org, or any of hundreds of other TLDs that aren't controlled by a US-based company

Do you mean that it would only affect .com domains? In that case, what's all the fuss about. If it only targets spammers, who cares?

Laconic answer

[Tenebrousedge]

"If"

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Synerg1y]

Of course they do, they wanted to throttle p2p bandwidth back in the day and got shot down. They are very very conscientious of their bandwidth for how big they are.

Comcast saturates Tata

[tepples]

That's because Comcast likes to cheap out and not buy enough upstream, allowing its connection to Tata to saturate for much of the day [slashdot.org].

Re:

[DanTheStone]

Are you really getting anywhere near 250 GB of use per month? I know use tends to grow over time, but we use ours constantly and haven't hit over 80 GB or so in a month. And how much additional usage do you really think DNSSEC will generate for an end-user?

Re:

[wolrahnaes]

I know I'm a heavy user, but 700+GB a month is not unusual for me and many months I've exceeded 1TB. 250GB is a good cap for an entry-level plan, but it's hilariously low when DOCSIS 3 speeds are in play.

Re:How about going back to flat-rate data?

[hawguy]

I know I'm a heavy user, but 700+GB a month is not unusual for me and many months I've exceeded 1TB. 250GB is a good cap for an entry-level plan, but it's hilariously low when DOCSIS 3 speeds are in play.

What do you download that exceeds 700+GB? That's 25GB/day, which seems like an awful lot of data.

My household watches several hours of Netflix a day (we have no cable TV and watch Netflix streaming TV shows & movies), and as far as I know, we've never hit our Comcast cap.

Re:How about going back to flat-rate data?

[Xoltri]

Probably high definition Japanese porn, which is ironic since it's blurred out anyway.

Re:

[Dyinobal]

Ever hear of High definition porn? Silly I know but porn sites are typically the leaders, when it comes to streaming content quality. You can practically count the ingrown hairs, from a pornstars Brazilian wax.

Re:How about going back to flat-rate data?

[hawguy]

Ever hear of High definition porn? Silly I know but porn sites are typically the leaders, when it comes to streaming content quality. You can practically count the ingrown hairs, from a pornstars Brazilian wax.

Hey, I grew up in the day of ASCII porn that was printed out on 132 column green-bar paper - I'd probably be appalled at what I could see in High Def video porn. And based on your comment, it does sound appalling.

Re:

[OnlineAlias]

No no, its great.

Re:

[CAIMLAS]

Meh, 250GB is still a lot for a month.

Consider that a decent self-ripped DVD is only around 2GB, and a good blueray around 8GB. That's around 2 hours of high definition video streaming per day, for a month, with a 250GB allocation.

These days, games are the big consumers of bandwidth, I'd imagine. Spend $30 on cheap games on Steam and you can eat through that 250GB pretty quickly.

Re:

[Dan667]

if you bought any ridiculously cheap games from Valve's Steam service over the holidays you could hit that without even spending $20.

Re:

[Talderas]

Sounds like some BS to me. If we take the 80GB as the average monthly usage that leaves 170GB worth of new games you just bought on steam with a 250GB cap. 6GB is on the higher end for most game though there are a few take come in around 10GB. Most of the 10+GB games are probably $50 in normal pricing on Steam and chances are most of those weren't much lower than 33% off with 50% off being the cap. I'd say it's probably a pretty safe assumption that you likely spent well over $500, if not $750, on games you

Re:

[blackraven14250]

It's an exaggeration, but there were massive sales that meant you could fairly easily hit 250GB if you bought a few of the games that were discounted 50%+

Re:

[Nemyst]

I know my (generally restrictive, but big in Canada) 120gb cap forced me to stop buying games on Steam as I'm nearly through the cap and I still have a week to go. LA Noire just wouldn't have fit in what I had left.

Re:

[Ihmhi]

Just wanted to say, the prudent thing to do here is to buy the games anyway. You can pause the download and it sits in your Steam library as a game you own and you can download it after the next month comes around and your cap is reset.

Re:

[ganjadude]

why spend the money now and not have the game...just wait til you plan on downloading it

Re:

[hedwards]

Except that caps are typically up and down. Personally, I've used nearly 300gb in a single month just on crashplan.

Re:

[Zakabog]

250GB / month is a constant speed of a little under 100KB/sec. I use more bandwidth than that just running a VPN to a few computers in the office. While I may be far from the average user, I'm sure there's a Comcast user out there with a legitimate reason to use over 250GB / month.

Re:

[scdeimos]

I used over 12.5GB in a few hours just watching some of TotalHalibut's "WTF is...[Game]" videos on YouTube. I'm sure 250 GB in a month would be a cinch.

Re:

[Kenshin]

Some of us aren't perma-bachelors living in a basement paying for our own personal internet connection.

We have 2 adults and 2 teens living in this house, and I doubt our 300 GB cap will be sufficient for long.

Re:

[tepples]

We have 2 adults and 2 teens living in this house, and I doubt our 300 GB cap will be sufficient for long.

Then have each adult pay for one teen rather than having one adult pay for the other adult and both teens.

Re:

[rubycodez]

no, tell the teens to get a fucking job and pay for their internet and cell use. this will help them later in life. I started working at age ten with lawn cutting, show shoveling, car washing, etc. to fund my electronics hobby. Even the "allowance" my parents gave me was for check list of weekly jobs.

Re:

[tepples]

I started working at age ten with lawn cutting, show shoveling, car washing, etc. to fund my electronics hobby.

Once one of my cousins considered doing this, but it turned out that "we already have someone else doing this; thanks anyway." In such a situation, how do you recommend that a child in middle school or high school perform such work? Could you recommend a safe way for a child to commute to another neighborhood in order to perform those jobs there? I'm probably missing something fundamental; what is it?

Re:

[Kenshin]

My point flew over your head.

I'm saying that when you share an internet connection you naturally use more. Something barely understood by all the folks here who apparently live alone.

Re:How about going back to flat-rate data?

[hedwards]

Not quite, data caps are there so that ISPs don't have to have the bandwidth that they promise in their ads. There's something really wrong when a company can advertise something and then modify it to be something completely different via fine print that might not even be legible in the ad.

Re:

[hedwards]

I'm upset because they're engaging in fraudulent advertising and most people aren't smart enough to realize it. I just want what they promised when I was looking for an ISP, no more no less. If they can't provide what it is that they're advertising then they sure as hell shouldn't be advertising it.

And as for your quip about price, my ISP offers much faster connections for about what I'm paying in other parts of the country, I don't think bitching about the price is really unreasonable.

Then again, you're ei

Re:

[scubamage]

No, the fundamental purpose of the internet is to distribute information to any point of the world, and outside of where the bomb dropped, the system work in the event of a nuclear war. In its outset, cheap was no part of the equation, its just so commoditized and ubiquitous now that there is an expectation.

Re:

[rubycodez]

you are so funny. the fundamental purpose of the internet is to make money for its providers. Comcat, AT&T, Verizon, they don't make communications solutions or connectivity solutions, they make money. period. end of story.

Re:How about going back to flat-rate data?

[Anthony Mouse]

Nice, one can get to their absurd caps that much faster. Get rid of the caps and perhaps there might be something worth talking about.

DNSSEC is fine by itself, but it is only a distraction as implemented by Comcast.

Troll rating: 8/10. It was a good, subtle effort. You get people off topic, since data caps are highly contentious and Comcast is unpopular so that will gather several responses, and extra points for getting the first post so that no one with an on-topic post can precede you. In addition to that, you picked a topic that might otherwise have led somewhere productive, because of the tie in between DNSSEC and SOPA (which is an important, relevant, and time-sensitive topic at this point). You may wish to apply for remuneration with pro-SOPA entities if you have not done so already, as they are known to pay compensation for such efforts.

Re:How about going back to flat-rate data?

[Anthony Mouse]

Is there really a tie in mechanism with DNSSEC?

It is widely understood that SOPA will break DNSSEC, because it requires intermediaries to modify DNS responses, which looks to DNSSEC like a man in the middle attack (because it is one).

Re:

[MechaStreisand]

That doesn't seem like it breaks DNSSEC so much as DNSSEC exposes such attacks for what they are.

Re:How about going back to flat-rate data?

[Anthony Mouse]

exposes such attacks for what they are.

It certainly does that, but it still breaks DNSSEC because it makes users expect DNSSEC failures under normal operation, which enables fraud because users will subsequently ignore future warnings. It further prevents client software developers from implementing countermeasures that would thwart a man in the middle attack since doing so would succeed just as well in bypassing the DNS blocking.

For example, client software might be designed so that if a DNSSEC failure occurs, the client first tries all configured DNS servers to try to get a valid response. If any of the servers is outside the country, the blocking fails. If not, the client software might then try to act as its own recursive DNS server. (Clients are normally not supposed to do this because it would put extra load on the authoritative DNS servers, but clients are normally not supposed to encounter DNSSEC failures, and doing it only in that rare circumstance would almost certainly not cause serious performance issues.) If the authoritative DNS server is outside the country (which it would be for a 'rogue site') then the blocking fails.

So either the law prohibits client software from being designed that way and the security benefits of DNSSEC are destroyed, or client software is designed to thwart a man in the middle attack and the law is a dead letter because the operators of intermediary DNS servers cannot prevent end users from receiving a true DNS response since an attempt to do so will only cause the client's DNSSEC implementation to detect and bypass the intermediary DNS server.

Re:

[MechaStreisand]

From what I've read, SOPA would indeed outlaw programs that circumvent its domain theft. It seems like SOPA is going to do nothing but destroy.

The best possible outcome to hope for is for the rest of the world to develop and use DNSSEC and other technologies, and leave the US behind its great firewall. I'd say that I'm glad that I live in Canada, but our ruling Conservatives are pure evil and do whatever the US Government tells them to (and I say this as a semi-conservative myself), so eventually Canada

Re:

[tepples]

How can one DO SOMETHING when all five major television news outlets (ABC, CBS, CNN, Fox, and NBC) are owned by parent companies of motion picture studios with enough money to DO MORE about unDOing your SOMETHING?

Re:

[tepples]

[hairyfeet] who is a top poster on /, uses [Comodo] Dragon as his browser simply because it uses DNSSEC to its own secure DNS servers that filter out malware domains.

Comodo Dragon also uses an end-run around the oft-repeated suggestion to use DNSSEC to replace CAs [slashdot.org]: any cert that isn't EV gets a warning page [netcraft.com].

And how can I use it on my BIND server?

[rduke15]

I have a dozen domains on my own server. If I would like to use DNSSEC, is there a good practical how-to guide on what I would have to do to my bind configuration?

And would I need to buy a certificate? Currently I just use my own CA and certificates for encryption of my mail traffic and a few private web pages. I really don't want to give money to some anonymous foreign company so that they can "certify" who I am. After all, I should know who I am better than they would.

Re:And how can I use it on my BIND server?

[icebraining]

http://www.imperialviolet.org/2011/06/16/dnssecchrome.html [imperialviolet.org]

Re:And how can I use it on my BIND server?

[Above]

There is no need to buy a certificate. DNSSEC does not use X.509 certificates. You generate your own keys and provide them to your registrar to be published upstream.

ISC has recently added "auto DNSSEC signing" to BIND, which may be the easiest way for most folks to add DNSSEC. This page has some information:

http://www.isc.org/community/blog/201006/bind-972-and-and-automatic-dnssec-signing

Here's a post with more info:

http://netlinxinc.com/netlinx-blog/45-dns/133-bind-970-part-4-automatic-zone-signing.html

Re:And how can I use it on my BIND server?

[nullchar]

You can fairly easily sign your zones using Bind: http://www.bind9.net/manual/bind/9.3.2/Bv9ARM.ch04.html#DNSSEC [bind9.net]

This takes a few steps:
  * Generate keys - a zone-signing key (ZSK) and a key-signing-key (KSK) - usually a pair of keys for each zone
  * Sign your zones - well, the records inside them
  * Now use your zone.signed file as the zonefile that Bind serves up

Next, once you query your server and everything looks good, you need to ship either the DNSKEY record or DS (digest of the key) to your registrar *. They will ship that to the registry, which signs either your key or digest. Most gTLDs (.com/.org) require only DS records, while ccTLDs (.de/.eu) require DNSKEY records.

Then, as long as you're using a DNSSEC aware resolver, you can test the hierarchy of the signed zone:

dig @149.20.64.21 comcast.com any +dnssec

Look for the "ad" bit set in the Flags section. If you just want to see the keys in this example, simply limit dig to that RR type:

dig @149.20.64.21 comcast.com dnskey +multiline +dnssec

DNSKEY 257 is the key-signing-key, which was sent to the registry, while DNSKEY 256 is the zone-signing key. Dig +trace to see the DS records at the .com registry - they host two different digests for the same key tag/id (35356):

dig comcast.com dnskey +multiline +dnssec +trace

You'll often notice zones with multiple keys - you must support more than one key at a time to enable key rotation. E.g. You, as an authoritative server operator, may wish to rotate your zone-signing key fairly often, while you may wish to rotate the key-signing-key once per year. Each registry decides the expiration of the key or digest they are storing.

* = Not all registrars support DNSSEC; once you sign your domain you cannot transfer the domain to a non-DNSSEC enabled registrar. Either you have to un-sign it or transfer it somewhere else.

There is no certificate authority involved, as the DNS hierarchy contains the signature chain, from the root servers, to each TLD, to each domain. One proposed use of DNSSEC is to publish an SSL certificate public key -- then no Certificate Authorities are required! A browser can use the DNSSEC validated response to match the public key (or more likely, fingerprint) to the web server it is connecting with. You can already use DNS to publish SSH key fingerprints [ietf.org], now you can sign that record for even more trust.

Re:

[mcrbids]

One proposed use of DNSSEC is to publish an SSL certificate public key -- then no Certificate Authorities are required!

I have felt that this is a good idea for a very long, long, long time. The thing on the Internet that tells you where to go to get to a domain name is the DNS server. Thus, the owner of the DNS server really should be the source of the certificate public keys, not some random 3rd party whose true interests lie in selling certificates more cheaply and doing just enough certification that they aren't actually deemed to be insecure.

It's a race to the bottom. DNSSEC, on the other hand, allows the owners of a d

Comodo is already fighting this

[tepples]

I have felt that this is a good idea for a very long, long, long time. The thing on the Internet that tells you where to go to get to a domain name is the DNS server. Thus, the owner of the DNS server really should be the source of the certificate public keys, not some random 3rd party whose true interests lie in selling certificates more cheaply and doing just enough certification that they aren't actually deemed to be insecure.

Which means random third parties will try other methods to sell certificates. A CA might, say, fork Chrome and have it give a warning page for any certificate that isn't EV. Comodo Dragon already does this [netcraft.com]: "The security (or SSL) certificate for this website indicates that the organization operating it may not have undergone trusted third-party validation that it is a legitimate business."

Re:And how can I use it on my BIND server?

[hardaker]

Signing you own zone is trivial and you don't need to pay anyone. I even created a simple, short video on the subject using the DNSSEC-Tools components: http://www.youtube.com/watch?v=7ksgTFxAg6U [youtube.com]

Though I'm associated with the above project, I actually don't care what tool set you use: just sign your zone!

Re:

[rduke15]

Thank you. But I'm afraid I don't have the patience to watch a 12 minute video. What is this new trend of making videos for stuff which would be so much more useful in a written document? Doesn't this project have a web page which I can skim through to get an idea, read in detail if interested, and from which I can copy/paste relevant commands when needed?

I must be too old...

Re:

[hardaker]

No, I agree with you. But it is the new trend because some people definitely prefer to see it over time rather than over a page. Color me confused as well.

But we have a text version as well, so never fear: https://www.dnssec-tools.org/wiki/index.php/Sign_Your_Zone [dnssec-tools.org]

Re:

[tepples]

But we have a text version as well

In the description of your video on YouTube, you can give the URL of the transcript. That way people who prefer video can watch the video, and people who prefer to read the transcript can click away and do so.

Re:

[hardaker]

True, though it's not a transcript: it's a very different set of text. I don't think transcripts are useful because they're designed around a video. The web page, on the other hand, is a tutorial that is independent of the video.

Side note: the video describes other tools as well, not just zonesigner. The web page only has zonesigner on it (though you could go find the similar pages for donuts, lsdnssec, etc, that the video shows)

Re:

[icebraining]

Only if the browser tells you, and I think they don't, at least for now. There's an addon for Firefox, though.

Re:

[scdeimos]

How well does that [dnssec-validator.cz] work with servers behind round-robin DNS? Or isn't that possible with DNSSEC?

Also funny that it says www.comcast.com [comcast.com] is *not* secured by DNSSEC, contrary to TFA.

Re:

[djl4570]

Maybe this is Comcast Engineers mooning the corporate overlords who support it.

Re:Just in time!

[TheBrez]

Simple. The technical people at Comcast are highly skilled intelligent people. They aren't senior level techs at one of the largest ISPs in the world by being idiots. The legal department on the other hand is staffed by money-sucking weasels (like all legal departments are) who are supporting stupidity in legislation without bothering to talk to their highly skilled technical people about whether this braindead legislation is even technically POSSIBLE to implement. The technical people no doubt KNOW that SOPA is impossible with DNSSEC. Hence they're encouraging everyone to move to DNSSEC as quickly as possible, so in the event that Congress screws up and passes this abortion of a bill at the behest of the large content providers and intellectual property bandits, they'll find out that it doesn't work on large portions of the Internet, thus pissing off their constituents even more, and causing a large shift in political goodwill towards their opponents.

Has anybody suggested asking the current political candidates their views on SOPA? If you live in the US, and your Congressperson is listed as a Co-sponsor of the bill, or listed as an opponent of the bill, have you contacted them to voice your opinion? Votes are all that matters to politicians. A few hundred calls/emails to their office telling them that this is a flawed bill, and it WILL result in your vote going to their opponent can quickly change their minds on what matters to them.

http://thomas.loc.gov/cgi-bin/bdquery/z?d112:HR03261:@@@P [loc.gov]
That's the current list of SOPA co-sponsors.

comcast also has a lot clueless mangers / PHB

[Joe_Dragon]

With the size of comacst and how it's tech is setup people in one area do not know what the other is doing.

Being build on lot's systems that became comcast by buying up other systems does not help them stay on the same page.

Some times the call center has a had time to tell the techs / installs basic stuff like need a cable card for the job.