Comcast DNSSEC Goes Live 165
An anonymous reader writes "In a blog post, Comcast's Jason Livingood has announced that Comcast has signed all of its (5000+) domains in addition to having all of its customers using DNSSEC-validating resolvers. He adds, 'Now that nearly 20 million households in the U.S. are able to use DNSSEC, we feel it is an important time to urge major domain owners, especially commerce and banking-related sites, to begin signing their domain names.'"
Just in time (Score:5, Insightful)
DNSSEC (Score:5, Insightful)
Re:How about going back to flat-rate data? (Score:3, Insightful)
Comcast supports SOPA (Score:5, Insightful)
Given that Comcast has been more proactive about implementing DNSSEC than all the other major ISPs, I was very surprised to learn that they support SOPA [house.gov], which will make it impossible to for ISPs to implement DNSSEC. I assume that their stance is motivated by the fact that they own half of NBC, and I wonder how their engineering staff plans on handling this situation if the bill is passed.
Re:How about going back to flat-rate data? (Score:3, Insightful)
I know I'm a heavy user, but 700+GB a month is not unusual for me and many months I've exceeded 1TB. 250GB is a good cap for an entry-level plan, but it's hilariously low when DOCSIS 3 speeds are in play.
Re:How about going back to flat-rate data? (Score:5, Insightful)
Nice, one can get to their absurd caps that much faster. Get rid of the caps and perhaps there might be something worth talking about.
DNSSEC is fine by itself, but it is only a distraction as implemented by Comcast.
Troll rating: 8/10. It was a good, subtle effort. You get people off topic, since data caps are highly contentious and Comcast is unpopular so that will gather several responses, and extra points for getting the first post so that no one with an on-topic post can precede you. In addition to that, you picked a topic that might otherwise have led somewhere productive, because of the tie in between DNSSEC and SOPA (which is an important, relevant, and time-sensitive topic at this point). You may wish to apply for remuneration with pro-SOPA entities if you have not done so already, as they are known to pay compensation for such efforts.
Re:DNSSEC (Score:4, Insightful)
I hear this argument all the time. "Now we've got Criminal X! .. Oh wait, he's encrypted his drive with 1024 bit military grade encryption! It'll cost BILLIONS to crack the key! We're hosed." ... More likely it's "Huh. Drive's encrypted. Joey, get the hose."
1) That is not even close to the same argument as the one being made.
2) "Getting the hose" is unconstitutional. It may be that law enforcement does not see fit to follow the constitution, but in that case they have no need for the hose: They can just lock you up on false charges without ever reading the disk.
DNSSEC is no proof against the men with shotguns and a court order saying "You will remove this domain from your server... or else."
Removing the domain would break DNSSEC, since the removal would not be signed and the signing entity may not be subject to US jurisdiction (or may refuse on first amendment grounds etc.)
More than that, the user can trivially work around the removal of the DNS entry merely by using a DNS server in another country. Effectively preventing the user from communicating with servers in other countries would severely break the internet, which is part of the problem that people are concerned about.
Re:SOPA and DNSSEC? (Score:5, Insightful)
The relationship is the other way around. SOPA is a law which forces ISPs and registrars within its jurisdiction to block certain DNS requests. DNSSEC is a means of signing both individual domain records and chains of domains so that you know that the domain data and/or NXDOMAIN (No Such Domain) response to your request is authentic, provided you can trust the operators of the higher-level domains up to the DNS root, or another anchor point for which you can check the key.
Assuming that TPB has a domain outside SOPA's jurisdiction, and you either have an anchor for that TLD or trust the root domain, this means that while your ISP can still refuse to give you the address for TPB's domain (with either no response or a server error), it can't supply the wrong address or claim that the domain doesn't exist, since you would immediately know that it's lying.
The operator of TPB would have to be stupid not to enable DNSSEC, if it's available for that TLD, since it serves to prevent visitors from being silently redirected to some other site. Using DNSSEC doesn't give ISPs an additional way of blocking your site; on the contrary, it makes it much more obvious when they attempt to do so.
Re:How about going back to flat-rate data? (Score:4, Insightful)
Not quite, data caps are there so that ISPs don't have to have the bandwidth that they promise in their ads. There's something really wrong when a company can advertise something and then modify it to be something completely different via fine print that might not even be legible in the ad.
Re:DNSSEC (Score:2, Insightful)
Nothing sucks balls worse that being forced to use a shitty-ass DNS lookup server hosted by a shitty-ass ISP in the middle of nowhere.
This is what we'd call a first world problem.... I can think of quite a few things more unpleasant than being forced to use a DNS server hosted out in the middle of nowhere...
Re:DNSSEC (Score:3, Insightful)
2) "Getting the hose" is unconstitutional. It may be that law enforcement does not see fit to follow the constitution, but in that case they have no need for the hose: They can just lock you up on false charges without ever reading the disk.
No, haven't you heard? They're making legislation now to just have an ex-parte hearing and declare your citizenship void because you are "hostile" to the United States. Constitutional rights are only for US citizens, don'tchaknow.
Re:How about going back to flat-rate data? (Score:5, Insightful)
Is there really a tie in mechanism with DNSSEC?
It is widely understood that SOPA will break DNSSEC, because it requires intermediaries to modify DNS responses, which looks to DNSSEC like a man in the middle attack (because it is one).