Forgot your password?
typodupeerror
Networking Security The Internet

Comcast DNSSEC Goes Live 165

Posted by Soulskill
from the ahead-of-expectations dept.
An anonymous reader writes "In a blog post, Comcast's Jason Livingood has announced that Comcast has signed all of its (5000+) domains in addition to having all of its customers using DNSSEC-validating resolvers. He adds, 'Now that nearly 20 million households in the U.S. are able to use DNSSEC, we feel it is an important time to urge major domain owners, especially commerce and banking-related sites, to begin signing their domain names.'"
This discussion has been archived. No new comments can be posted.

Comcast DNSSEC Goes Live

Comments Filter:
  • Just in time (Score:5, Insightful)

    by Anonymous Coward on Tuesday January 10, 2012 @06:56PM (#38657348)
    There won't be much point to this if SOPA / PIPA passes, requires DNS redirects, and bans circumvention.
    • Re: (Score:3, Informative)

      Only DNS that is signed by your government overlords will be allowed. All other DNS will be shot, banninated from the internets, and subject to prosecution.

      There. DNSSEC has a point now with SOPA. :)

    • by shentino (1139071)

      Can't the feds just order the registry to nuke the master record?

  • DNSSEC (Score:5, Insightful)

    by girlintraining (1395911) on Tuesday January 10, 2012 @06:58PM (#38657374)
    Yes, and for our next trick, we're going to disable end-users' ability to do their own DNS lookups to only our servers -or- selectively deny DNS lookups that have a destination outside the United States. You know... to stop people from getting around SOPA and other anti-piracy measures. YAY DNSSEC! /sarcasm.
    • by StikyPad (445176)

      SOPA breaks DNSSEC -- that's one of its main problems from a technological perspective. And there's no way to prevent someone from using another DNS server, or just a hosts file.

      • SOPA breaks DNSSEC -- that's one of its main problems from a technological perspective.

        I hear this argument all the time. "Now we've got Criminal X! .. Oh wait, he's encrypted his drive with 1024 bit military grade encryption! It'll cost BILLIONS to crack the key! We're hosed." ... More likely it's "Huh. Drive's encrypted. Joey, get the hose."

        DNSSEC is no proof against the men with shotguns and a court order saying "You will remove this domain from your server... or else."

        If anything, DNSSEC makes SOPA more powerful because I can't just setup a rogue DNS server, change it to authoritative f

        • Re:DNSSEC (Score:4, Insightful)

          by Anthony Mouse (1927662) on Tuesday January 10, 2012 @07:52PM (#38657958)

          I hear this argument all the time. "Now we've got Criminal X! .. Oh wait, he's encrypted his drive with 1024 bit military grade encryption! It'll cost BILLIONS to crack the key! We're hosed." ... More likely it's "Huh. Drive's encrypted. Joey, get the hose."

          1) That is not even close to the same argument as the one being made.
          2) "Getting the hose" is unconstitutional. It may be that law enforcement does not see fit to follow the constitution, but in that case they have no need for the hose: They can just lock you up on false charges without ever reading the disk.

          DNSSEC is no proof against the men with shotguns and a court order saying "You will remove this domain from your server... or else."

          Removing the domain would break DNSSEC, since the removal would not be signed and the signing entity may not be subject to US jurisdiction (or may refuse on first amendment grounds etc.)

          More than that, the user can trivially work around the removal of the DNS entry merely by using a DNS server in another country. Effectively preventing the user from communicating with servers in other countries would severely break the internet, which is part of the problem that people are concerned about.

          • Re: (Score:3, Insightful)

            2) "Getting the hose" is unconstitutional. It may be that law enforcement does not see fit to follow the constitution, but in that case they have no need for the hose: They can just lock you up on false charges without ever reading the disk.

            No, haven't you heard? They're making legislation now to just have an ex-parte hearing and declare your citizenship void because you are "hostile" to the United States. Constitutional rights are only for US citizens, don'tchaknow.

            • Constitutional rights are only for US citizens, don'tchaknow.

              Except they're not... not that the Powers That Be would care.

            • They're making legislation now to just have an ex-parte hearing and declare your citizenship void because you are "hostile" to the United States.

              That would take two-thirds of both houses and three-fourths of the states because as I understand it, the Fourteenth Amendment locks in the citizenship of anyone born here.

              • by rubycodez (864176)
                they already can imprison you indefinitely or assassinate you or sexually molest you or your children "for cause", anything else being discussed is just icing on the cake for our police state
        • DNSSEC is no proof against the men with shotguns and a court order saying "You will remove this domain from your server... or else."

          Nor was it ever intended to be -- those sites (i.e. the ones within range of the Marshals) are already easy enough to deal with lawfully. The issue was when some guy in Kerbleckistan runs a server that you've got a court order against, you can't do much unless you've got the power to order DNS servers not to give out his IP or black him out of the BGs (with Marshals to back it up).

      • by makomk (752139)

        Guess who controls the DNSSEC trusted root key? That's right, an American organization.

      • by KiloByte (825081)

        there's no way to prevent someone from using another DNS server

        for prot in tcp udp; do iptables -t nat -A PREROUTING -i lan0 -p $prot --dport 53 -j REDIRECT;done
        Use -j DNAT if the DNS server is on another box.

        Quite a bunch of ISPs do that already.

    • Quite a few big companies use OpenDNS. If business and users get blocked from using a 3rd party DNS lookup providers, there will be hell to pay. Nothing sucks balls worse that being forced to use a shitty-ass DNS lookup server hosted by a shitty-ass ISP in the middle of nowhere. Hosted off an old Dell Dimension collecting dust in the corner someplace no doubt.

      • Re: (Score:2, Insightful)

        by mcrbids (148650)

        Nothing sucks balls worse that being forced to use a shitty-ass DNS lookup server hosted by a shitty-ass ISP in the middle of nowhere.

        This is what we'd call a first world problem.... I can think of quite a few things more unpleasant than being forced to use a DNS server hosted out in the middle of nowhere...

        • Oh come on! This whole topic is a first world problem. But thanks for making me out to be detached from reality.

          • by KiloByte (825081)

            People in Egypt or Syria suffer from internet censorship just the same, and for them communication is a matter of freedom or slavery. Not a first world problem in my book.

    • by jon3k (691256)
      They can't outright block DNS traffic. They attempted to throttle traffic, not even block, and got their hand slapped. And when you start monkeying with traffic it gets a lot harder to fall back on Safe Harbor provisions of the DMCA, which can put them in a very precarious position.
      • by ftobin (48814) *

        I was under the impression they were injecting TCP RST packets, not throttling. Big difference.

      • by KiloByte (825081)

        That's why they want to replace "merely" oppressive law with few upsides like the DMCA with something downright ridiculous that allows censorship with impunity.

    • Can do this today without DNSSEC...

  • I guess I'm not sure how SOPA and DNSSEC overlap, could someone explain it in a couple of sentences? Does DNSSEC hinder or help? I would assume hinder SOPA... I'm going to research more, but was hoping to get a quick brief from someone knowledged...
    • Re:SOPA and DNSSEC? (Score:5, Informative)

      by girlintraining (1395911) on Tuesday January 10, 2012 @07:13PM (#38657544)

      I guess I'm not sure how SOPA and DNSSEC overlap, could someone explain it in a couple of sentences? Does DNSSEC hinder or help? I would assume hinder SOPA... I'm going to research more, but was hoping to get a quick brief from someone knowledged...

      Well, let's try a car analogy. Before DNSSEC, anyone could put up a road sign, and you'd have no way of knowing whether it would send you the right way or not. There were a few publicized cases of cars going down the wrong road, a few pileups, but most people got to/from work everyday.

      However, some very smart people were worried some other smart people could swap the road signs. So they added smaller digital tags on the back of the signs that had a special number encoded in it and the name of the municipality that placed the sign there. You need a special box to tell you what it says. Not many people were keen on spending the money to impliment this, since the only people that could read the special codes were police, firefighters, and some guys riding around in black SUVs. For the majority of drivers, nothing changed.

      Separately, these municipalities were threatened with lawsuits by very large companies and the government if they allowed signs to stay up on roads they didn't like, or went to places they didn't like... So they've been busy tearing down signage all over the place to appease these well-monied interests. Sometimes the signs being taken down have the little tags, but most of the time they don't. Drivers that are familiar with the area won't have a problem because they know the address and route already, but younger, and inexperienced drivers might not, and for them, these new laws could keep them from getting to those places.

      • by Synerg1y (2169962)

        I like the analogy, it explains both SOPA & DNSSEC, but unless I'm missing something, they are not related in any relevant way, where one actually requires the other. Picture this, I go to the pirate bay, but SOPA blocks me, so I hop on a. a proxy b. a non-usa dns server. I don't need b but some people do. Now... to the point... if tpb is running dnssec and the dns server i'm on doesn't have a valid signature for tpb cert, and doesn't allow non-cert users, i'd be screwed. Except... the web admin of

        • by jon3k (691256)
          SOPA doesn't stop any competent person from getting to anything.
        • by JesseMcDonald (536341) on Tuesday January 10, 2012 @08:09PM (#38658148) Homepage

          The relationship is the other way around. SOPA is a law which forces ISPs and registrars within its jurisdiction to block certain DNS requests. DNSSEC is a means of signing both individual domain records and chains of domains so that you know that the domain data and/or NXDOMAIN (No Such Domain) response to your request is authentic, provided you can trust the operators of the higher-level domains up to the DNS root, or another anchor point for which you can check the key.

          Assuming that TPB has a domain outside SOPA's jurisdiction, and you either have an anchor for that TLD or trust the root domain, this means that while your ISP can still refuse to give you the address for TPB's domain (with either no response or a server error), it can't supply the wrong address or claim that the domain doesn't exist, since you would immediately know that it's lying.

          The operator of TPB would have to be stupid not to enable DNSSEC, if it's available for that TLD, since it serves to prevent visitors from being silently redirected to some other site. Using DNSSEC doesn't give ISPs an additional way of blocking your site; on the contrary, it makes it much more obvious when they attempt to do so.

        • by nullchar (446050)

          You're wrong because DNSSEC is backwards compatible. The authoritative servers can sign TPB.org tomorrow, and until people use DNSSEC-enforced DNS resolvers, it won't matter. Your regular old DNS resolver will simply ignore the RRSIG records and the signed hierarchy. Now if you're a Comcast user, you will be able to validate the response: meaning visiting TBP.org won't send you to a bogus site because the A record can't be poisoned.

          • by jroysdon (201893)

            You can validate all responses with no DNSSEC support in your DNS resolvers. All you need is the root zone key and verify from there down. Example: run your own BIND server with DNSSEC enabled and never use your ISP's.

        • Re:SOPA and DNSSEC? (Score:5, Informative)

          by Anonymous Coward on Tuesday January 10, 2012 @08:27PM (#38658290)

          It's not about disabling DNSSEC. DNSSEC allows a resolver (your machine) to verify that the DNS answers it gets (from a cache, an ISP server, or wherever) are authentic records from the DNS hierarchy. Without DNSSEC you just accept whatever you're told on trust. Your ISP, or some script kiddie in Poland, can fuck with the answers and your first clue will be when TPB is just a blank page saying piracy is illegal or call Czeslaw for a good time.

          The point is that DNSSEC will still tell the truth even when the government requires your ISP to lie to you. If you ask "Where is TPB?" under DNSSEC the only possible answers are "Here is the true authentic address for TPB" or "Error, someone is fucking with your DNS resolution". The US government would love the answer to be "Here is a US government web site reminding you that you are the property of Corporate America and subject to its whims" but DNSSEC rules that out. For US registries (like com) the US government can just go tell the registry operator to do what it says or go to jail. But to change the answers to the questions in non-US registries the most obvious option US government has is to put a bunch of men with guns on a helicopter, fly into another country and go break down the doors of the relevant DNS registry and insist they change the authentic records so that DNSSEC checks out OK.

          Now I'm sure in the heads of the average 60-something senator voting for these measures that sounds proportionate. It's terrorists, or something, right? We're fighting a war here - the blood of patriots must flow and so on. But when you explain to a Navy seal that he's to go risk his neck so some fucker in a Hollywood corner office can afford to buy an extra yacht, that's going to stick.

          Nobody is going to give that order. So if you have DNSSEC, the results of SOPA will be that you see errors every time you hit a page the government is censoring. Consider it your daily reminder that the US government works for the guy with the deepest pockets.

    • by shentino (1139071)

      Actually, what's to stop SOPA from going after verisign and telling them to change the zone info directly?

      DNSSEC only authenticates.

      But it doesn't stop a legal process from changing the authoritative information itself.

      • by nullchar (446050)

        Exactly, SOPA DNS blocking won't be limited to recursive resolvers at ISPs, it will be implemented at the registry level. VeriSign will get the order and remove the name servers for ThePirateBay.com from the .com zone file.

      • Actually, what's to stop SOPA from going after verisign and telling them to change the zone info directly?

        The fact that the U.S. Government lacks jurisdiction to do that to offshore registries not controlled by VeriSign or any other U.S. entity, such as the many country code TLDs used in cute domain hacks [wikipedia.org].

  • by pavon (30274) on Tuesday January 10, 2012 @07:02PM (#38657436)

    Given that Comcast has been more proactive about implementing DNSSEC than all the other major ISPs, I was very surprised to learn that they support SOPA [house.gov], which will make it impossible to for ISPs to implement DNSSEC. I assume that their stance is motivated by the fact that they own half of NBC, and I wonder how their engineering staff plans on handling this situation if the bill is passed.

panic: kernel trap (ignored)

Working...