Comcast Launches First Public US Trial of DNSSEC

← Back to Stories (view on slashdot.org)

Comcast Launches First Public US Trial of DNSSEC

Posted by kdawson on Tuesday February 23, 2010 @07:41AM from the am-who-i-am-because-i-say-so dept.

cryan7755 and netbuzz both sent along a NetworkWorld story on Comcast's public test deployment of DNSSEC. Here is the company's blog post announcing the trial. "Comcast this morning announced what is believed to be the first public test deployment of DNS Security Extensions. The company says it has deployed DNSSEC throughout its nationwide network and will immediately make validating servers available to customers. In addition, Comcast said it would digitally sign all of its own domain names using DNSSEC by early next year. 'There is often talk about a chicken-and-egg sort of problem with DNSSEC. People don’t want to sign their own domains with DNSSEC until people are validating signatures,' says Jason Livingood, Executive Director of Internet Systems Engineering at Comcast. 'We want to explain how we as an ISP have a roadmap for validating signatures with DNSSEC.'"

83 of 100 comments (clear)

Min score:

Reason:

Sort:

Err, but .COM is not valid for a while by Anonymous Coward · 2010-02-23 07:47 · Score: 1, Interesting

That's great, but VERISIGN will not setup DNSSEC for .COM for some time.
http://www.root-dnssec.org/
It's great that ISPs enable DNSSEC in their DNS servers, but until .COM and the like are not signed, the point is a little moot?
1. Re:Err, but .COM is not valid for a while by nbvb · 2010-02-23 07:50 · Score: 2, Interesting
  
  It's still great to see the providers bootstrapping DNSSEC. We need more of them onboard before you see widespread adoption.
  I have a feeling you're going to see DNSSEC explode in a big way soon .... Comcast isn't the only ISP implementing it.
2. Re:Err, but .COM is not valid for a while by Red+Flayer · 2010-02-23 08:56 · Score: 1
  
  It's great that ISPs enable DNSSEC in their DNS servers, but until .COM and the like are not signed, the point is a little moot?
  Well, that's kind of the point of the chicken-and-egg conundrum mentioned in the summary.
  
  No one will sign until validation is being done, but no one has bothered setting up validation because no one was signing.
  
  So Comcast has said, screw it, we'll create the chicken de novo, we don't need to hatch it from no stinkin' egg.
  
  --
  "Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
3. Re:Err, but .COM is not valid for a while by allo · 2010-02-23 09:10 · Score: 1
  
  most of non-usa sites do not use .com so dnssec is still great for all other people.
4. Re:Err, but .COM is not valid for a while by ctg1701 · 2010-02-23 09:17 · Score: 4, Interesting
  
  The point is testing this on smaller TLD. We have been working with .ORG and other TLDs to test DNSSEC for a while now. When the time comes for a signed root and .COM and .NET signed, we will be ready.
  Thanks
  Chris Griffiths
  Comcast
5. Re:Err, but .COM is not valid for a while by value_added · 2010-02-23 11:38 · Score: 1
  
  The point is testing this on smaller TLD. We have been working with .ORG and other TLDs to test DNSSEC for a while now. When the time comes for a signed root and .COM and .NET signed, we will be ready.
  Less vague (from http://lists.freebsd.org/pipermail/freebsd-arch/2010-February/009908.html):
  
  While there are many early adopters of DNSSEC today, including many Top Level Domains (TLDs) the linchpin event that most people are waiting for in order to get really excited about DNSSEC deployment is the signing of the root zone. The plans for this have been laid, and the first stages of the deployment of the signed zone are already under way. You can read all about these plans, and the projected timetable at http://www.root-dnssec.org/. The key elements of the timetable are that by the end of May all root name servers will be serving a zone that contains DNSSEC signatures, although they will be unvalidatable (for a variety of complicated reasons outside the scope of this document). Assuming that there are no show-stopping problems in the initial deployment phases by July 1st the real root zone keys will have been published, and the real zone will be signed on the root name servers.
  If you follow the link for that announcement, you can read more about Bind-specific issues, and Bind issues as they relate to FreeBSD.
6. Re:Err, but .COM is not valid for a while by socsoc · 2010-02-23 13:24 · Score: 1
  
  I'm still waiting for IPv6 to be implemented.
7. Re:Err, but .COM is not valid for a while by Eil · 2010-02-23 14:32 · Score: 3, Funny
  
  Dammit Chris, it's bad enough that your company is doing good things for the Internet like early IPv6 and DNSSEC adoption. Now you have the gall to come onto my Slashdot with your polite and informative answers. It's really starting to threaten my rage-induced perception of Comcast as World's Most Evil Cable Company and that's not something I'll give up without a fight!
umm. by zero0ne · 2010-02-23 08:03 · Score: 1

Don't they mean Xfinity?
1. Re:umm. by Conchobair · 2010-02-23 08:07 · Score: 1
  
  The company is in the process of rebranding. It has started with a push during the 2010 Winter Olympic Games and has started in large markets. It is expected to continue transistioning through the end of this year.
2. Re:umm. by FlyingBishop · 2010-02-23 09:01 · Score: 1
  
  Why are they posting good publicity under the old name?
3. Re:umm. by oasisbob · 2010-02-23 09:09 · Score: 1
  
  No, they don't. Comcast will still be Comcast.
  Comcast's services (High Speed Internet, digital TV, etc) are being rebranded Xfinity.
  So, class, let's use 'Xfinity' in a sentence. Repeat after me: "When you have no other competitors in your local area, you pick up a phone and order Xfinity from Comcast."
4. Re:umm. by oasisbob · 2010-02-23 09:16 · Score: 4, Interesting
  
  Probably because they aren't rebranding their corporate entity.
  Also, if you think this is the first cool thing Comcast has done in support of the internet, you're dead wrong. They have some very talented and involved engineers working hard on IPv6, publishing IETF drafts on IPv6 transition strategies, making nice after their BitTorrent escapades, etc.
  Say what you will about their business practices, customer service, reliability, whatever... But when it comes to IPv6 and being involved in the technical community, they're kicking ass and taking names.
Can use 75.75.75.75 externally by vlm · 2010-02-23 08:16 · Score: 4, Informative

The most interesting part of the article didn't make the summary...
"Opt-in by changing your DNS server IP addresses to 75.75.75.75 and 75.75.76.76 (we'll be adding IPv6 addresses soon)."
75.75.75.75 will answer outside of the comcast network... so I can use it to test DNS entries. (Or presumably someone could use it in an amplifier attack)

--
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
1. Re:Can use 75.75.75.75 externally by ctg1701 · 2010-02-23 08:45 · Score: 2, Insightful
  
  Curious where you are testing this from. We verified and none of the servers behind our Anycast system are available off-net.
  Thanks
  Chris Griffiths
  Comcast
2. Re:Can use 75.75.75.75 externally by bill_mcgonigle · 2010-02-23 08:53 · Score: 1
  
  "Opt-in by changing your DNS server IP addresses to 75.75.75.75 and 75.75.76.76 (we'll be adding IPv6 addresses soon)."
  Oh, wow, NXDOMAIN's back from Comcast!
  $host noob.floop.zop 75.75.75.75
  Using domain server:
  Name: 75.75.75.75
  Address: 75.75.75.75#53
  Aliases:
  Host noob.floop.zop not found: 3(NXDOMAIN)
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
3. Re:Can use 75.75.75.75 externally by Red+Flayer · 2010-02-23 09:00 · Score: 1
  
  Curious where you are testing this from. We verified and none of the servers behind our Anycast system are available off-net.
  vlm forgot to mention that he works for the NSA and is using their backdoor access path.
  
  --
  "Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
4. Re:Can use 75.75.75.75 externally by vlm · 2010-02-23 09:01 · Score: 1
  
  Oh thats nothing.
  Your request gives a response of 107 bytes, according to dig. Blah.
  Try "dig +bufsize=4096 +dnssec any isc.org @75.75.75.75" you get a 5279 byte response.
  Now forge the source address to be someone else's address, and you've just (re-)invented the DNS amplifier attack.
  Hopefully they rate limit the heck out of it.
  
  --
  "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
5. Re:Can use 75.75.75.75 externally by vlm · 2010-02-23 09:04 · Score: 2, Funny
  
  vlm forgot to mention that he works for the NSA and is using their backdoor access path.
  I can neither confirm nor deny that. Our backdoor access path is too busy monitoring the activities of RedFlayer to run DNS queries on it. Just kidding.
  However, I can confirm I tried it again about 10 seconds ago and got: ;; ->>HEADER- opcode: QUERY, status: REFUSED, id: .......
  
  --
  "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
6. Re:Can use 75.75.75.75 externally by bill_mcgonigle · 2010-02-23 09:15 · Score: 1
  
  How is this different from any other ISP's DNS server (except the payload size)?
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
7. Re:Can use 75.75.75.75 externally by vlm · 2010-02-23 10:46 · Score: 1
  
  Its different in that they let me use it.
  Assuming you use BIND, most places have something like this in named.conf on their customer facing DNS server so that only your paying users have access. Theoretically if some goofball tries a DNS amplifier attack you'll be able to track them more effectively on your own network... Also if everyone else forbid query and recursion, then you'd not be able to use their servers as an amplifier, and crippling your own ISPs DNS server seems rather counterproductive.
  Admittedly, if you want to whack someone with ten times the bandwidth, now-a-days the crooks use a botnet thats just ten times as big. Also, admittedly, now a days, there is no good reason to allow a DNS server to use your entire internet bandwidth, so rate limit it on the router by host or vlan to 50K or whatever seems appropriate. In which case it amplifies, but is not a very "loud" amplifier. It does kind of obfuscate your source address. Then again, with botnets everywhere, no one really cares about source addresses, its just another bot.
  So, its a semi-obsolescent attack vector now a days.
  I wonder if the slashdot html filter will allow this to pass:
  acl our-addresses {
  10.0.0.0/8;
  };
  options {
  allow-query { our-addresses; };
  allow-recursion { our-addresses; };
  }
  
  --
  "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
8. Re:Can use 75.75.75.75 externally by vlm · 2010-02-23 10:49 · Score: 1
  
  Assuming you use BIND, most places have something like this in named.conf on their customer facing DNS server so that only your paying users have access. Theoretically if some goofball tries a DNS amplifier attack
  Holy bad proofreading... what I meant to say, is if I'm trying to attack someone "far away" and the DNS server ACL doesn't permit queries from that victim, then you can't forge their address as your source address and get the amp to amplify... the dns server sees a query from an address that is not permitted, and drops it. So if I'm on ISP A trying to DDOS someone on ISP C by using a DNS server on ISP B, if ISP B doesn't allow queries from ISP C, I can't do the DDOS.
  
  --
  "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
9. Re:Can use 75.75.75.75 externally by bill_mcgonigle · 2010-02-23 11:02 · Score: 1
  
  Its different in that they let me use it.
  It works for me on my Comcast line and not on my Level 3 line.
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
GOOD WORK ! by johnjones · 2010-02-23 08:18 · Score: 1

finally a ISP who makes this a feature !
if a ISP would do this in the UK I would use them...
its a feature you should ask for in your ISP !
regards
John Jones
Re:inconsistent message by zappepcs · 2010-02-23 08:25 · Score: 2, Funny

Dear customer, we want your web browsing experience to be as secure as possible, however we still want to be able to hear you sing happy birthday to aunt Margaret. Did you decide to send her the chocolates and candles you were discussing with your sister?
Regards
Comcast Customer Services
For your information:
People who sent chocolates and candles for birthdays also chose: ...

--
Support NYCountryLawyer RIAA vs People
Benefits of DNSSEC? by Apple+Acolyte · 2010-02-23 08:29 · Score: 1

I'm pretty knowledgeable when it comes to new Internet tech, but I don't offhand know the benefits of DNSSEC or much about it other than it has to do with Doman Name Servers and Security (I assume encryption). Is it a complement to SSL? Does it help secure browsing sessions or is it more about identifying and authenticating legitimate domain names versus questionable ones? I guess I'll have to read up on it.

--
Part of the hardcore faithful who believed in Apple long before it was cool again to do so
1. Re:Benefits of DNSSEC? by lucifuge31337 · 2010-02-23 08:33 · Score: 1
  
  I'm pretty knowledgeable when it comes to new Internet tech
  
  [...]
  
  PowerPC zealot
  Does not parse.
  
  --
  Do not fold, spindle or mutilate.
2. Re:Benefits of DNSSEC? by elfprince13 · 2010-02-23 08:36 · Score: 2, Funny
  
  I think I can explain
3. Re:Benefits of DNSSEC? by characterZer0 · 2010-02-23 08:49 · Score: 2, Informative
  
  DNSSEC increases your maintenance costs (constant resigning even if no changes), makes DYNDNS servers harder to run, exposes your zone data, and helps DDOS attacks.
  Did I miss anything?
  
  --
  Go green: turn off your refrigerator.
4. Re:Benefits of DNSSEC? by Finallyjoined!!! · 2010-02-23 08:50 · Score: 1
  
  Ah well, "Apple Acolyte" you may be pretty knowledgeable as far as being an Apple user goes, but part of being pretty knowledgeable in the rest of the world involves, I know it may come as a shock, but stay with me for a moment; reading the sodding article!!
  
  Posting to remove a scroll-locked mod mod :-(
  
  --
  If I had an Ass, I'd call it Fanny Bottom, then I could slap my Ass; Fanny Bottom, on the Arse.
5. Re:Benefits of DNSSEC? by supradave · 2010-02-23 09:07 · Score: 1
  
  Guaranteeing that the domain and IP address are what they should be is the benefit. In a properly configured DNSSEC deployment, with the appropriate security protecting your keys, then the man-in-the-middle attack that's currently capable with SSL today is next to impossible. Getting poisoned results could happen, but you're assured that it's not the correct response.
  For example, .gov has signed some of their zones (failed to meet the mandate?). In an emergency, isn't it better to have the actual government site then some bogus site that directs you to the wrong place to get your water?
6. Re:Benefits of DNSSEC? by vlm · 2010-02-23 09:13 · Score: 1
  
  Did I miss anything?
  You forgot to add that it'll be bypassed anyway. And it burns CPU time / latency, for pretty much nothing.
  The idea is you sign yer zone with someone elses "well known" key, not all the different than how SSL / HTTPS works.
  Thus, in theory, assuming no one upstream screws up, it prevents forgeries, man in the middle attacks, phishing websites, etc.
  However, the same people that screw up their SSL / HTTPS config and convince everyone to just click thru the error messages, will be running/ruining their dnssec config, and trying to convince everyone to just click thru the error messages and/or disable dnssec on their machine.
  From that point of view its kind of an insanity. The general procedure / architecture for SSL/HTTPS didn't work to secure web browsing, so lets try more or less the same thing for DNS! I'm sure it'll turn out different this time!
  The consultants will make money. Other than that....
  
  --
  "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
7. Re:Benefits of DNSSEC? by wintercolby · 2010-02-23 09:13 · Score: 2, Insightful
  
  DNSSEC is a set of security extensions for DNS:
  
  DNSSEC was designed to protect the Internet from certain attacks, such as DNS cache poisoning [0]. It is a set of extensions to DNS, which provide: a) origin authentication of DNS data, b) data integrity, and c) authenticated denial of existence.
  Taken from DNSSEC.net
  
  --
  Most ignorance is vincible ignorance. We don't know because we don't want to know. --Aldous Huxley
8. Re:Benefits of DNSSEC? by pentalive · 2010-02-23 09:14 · Score: 1
  
  Don't forget "DNSSEC is a response to DNS cache poisoning an prevents the attack where an attacker can cause your browser to go to his phishing site when you enter the URL of your bank's website"
9. Re:Benefits of DNSSEC? by DarkSkiez · 2010-02-23 09:14 · Score: 1
  
  I've not deployed DNSSEC, but i was interested by your comments about exposing zone data at least.
  I did a quick google and it suggests that used to be the case but from bind 9.6.0 onwards it can use NSEC3 to hash the child names.
  Worth looking into for anyone who is concerned.
10. Re:Benefits of DNSSEC? by wintercolby · 2010-02-23 09:22 · Score: 1
  
  Can't you see by his Slashdot ID that he's an old-school /.er? They never RTFA and rely on karma whores [guilty] to provide the information from the article in a very short and to the point snippet of quote.
  
  --
  Most ignorance is vincible ignorance. We don't know because we don't want to know. --Aldous Huxley
11. Re:Benefits of DNSSEC? by Voyager529 · 2010-02-23 09:24 · Score: 1
  
  Maybe I'm alone in this, but in an emergency whereby I'd be dependent on the government for water, I'm fairly certain that my first reaction is NOT going to bear any resemblance to the following: "My family hasn't had a drop of sanitary water in three days. I should use the Internet instead of the phone or TV or radio broadcasts and e-mail the president and ask him to help...wait, this doesn't look like an official website! Blast! Somebody must be hacking DNS servers to prevent me from getting water!"
12. Re:Benefits of DNSSEC? by characterZer0 · 2010-02-23 09:36 · Score: 1
  
  Sure. So you get all the hashes in 2 minutes and then you have a month to crack them before the responses change.
  
  --
  Go green: turn off your refrigerator.
13. Re:Benefits of DNSSEC? by characterZer0 · 2010-02-23 09:39 · Score: 1
  
  Now: Phisher gives a bogus IP address and you see an SSL certificate error.
  With DNSSEC: Phisher gives a bogus DNS response and you see a DNS error.
  Yay, sign me up.
  
  --
  Go green: turn off your refrigerator.
14. Re:Benefits of DNSSEC? by supradave · 2010-02-23 11:05 · Score: 1
  
  I know that's a bad example, but it was the only one I could think of.
  Would tax forms have been a better example?
15. Re:Benefits of DNSSEC? by nine-times · 2010-02-23 11:19 · Score: 2, Informative
  
  However, the same people that screw up their SSL / HTTPS config and convince everyone to just click thru the error messages, will be running/ruining their dnssec config
  Well it's kind of funny that this is your complaint, since one of the reasons admins ask people to click through the error message is that they have self-signed certs because they don't want to pay ridiculous amounts of money to a CA. From what I understand, (which admittedly is limited) DNSSEC could possibly open the door to putting signed public keys into DNS records, which would mean you wouldn't really need SSL certificate authorities.
  So instead of being the same problems as SSL all over again, this could help address the SSL problems. Maybe. I still suspect certificate authorities will find a way to keep anything like that from happening.
16. Re:Benefits of DNSSEC? by Intron · 2010-02-23 11:35 · Score: 1
  
  DNSSEC increases your maintenance costs (constant resigning even if no changes), makes DYNDNS servers harder to run, exposes your zone data, and helps DDOS attacks.
  Did I miss anything?
  The internet is currently not controlled by anyone but DNSSEC changes this by requiring every domain to have a traceable certificate. Look for greater centralized control by people saying "think of the children" and "this will only be used to combat terrorism". It also pretty much guarantees that new clients will be written to allow DNS lookups in both the "official" root zone and under alternative roots.
  
  --
  Intron: the portion of DNA which expresses nothing useful.
17. Re:Benefits of DNSSEC? by supradave · 2010-02-23 11:40 · Score: 1
  
  If the roots signed and then .com signed, there would be some benefits over time as more and more domains sign their zones. If there was some policy as to getting the signing key from the parent, exammple.com may not be able to validate with DNSSEC and the ignorant might be a little more secure. The more that sign, the less spam you might get from a botnet or some spam house.
  There are benefits and when only a few people have
18. Re:Benefits of DNSSEC? by characterZer0 · 2010-02-23 16:05 · Score: 1
  
  You still need validated HTTPS certificates because nobody is verifying that when I register hsbcbankusa.com that I am actually HSBC.
  
  --
  Go green: turn off your refrigerator.
19. Re:Benefits of DNSSEC? by nine-times · 2010-02-23 17:25 · Score: 1
  
  Fine, for the 1% of websites that bother with the "extended validation", they'll continue to do that. For everyone else, it really doesn't matter.
  Or what, you think that most CAs actually verify anything? You think that if you registered www.hsbcbankusa.org (it's not taken!) that you couldn't get a certificate authority to give you a valid cert? Of course you could.
  In 99% of cases, the point of SSL certs is not to validate the identity of the person running the site. The point is to encrypt traffic. The reason we need certificate authorities is that we need a chain of trust prevent man-in-the-middle attacks. All you need is a way to pass public keys and verify that the keys belong to whoever controls the domain.
20. Re:Benefits of DNSSEC? by Bombcar · 2010-02-23 17:57 · Score: 1
  
  Remember that StartSSL.com gives out free SSL certificates. There's no reason to be running self-signed certificates anymore.
  
  --
  Fellowship 9/11
21. Re:Benefits of DNSSEC? by baerm · 2010-02-24 06:23 · Score: 1
  
  Sure. So you get all the hashes in 2 minutes and then you have a month to crack them before the responses change.
  The resources needed to crack one-way hashes of a domain: vey high (probably on exhaustive search of the name space, have fun).
  The gain of cracking the hashes: the zone file info for that zone.
  My guess is the result, assuming it's even realistic to get in a decent time frame (year?, 10years?, how much resources do you have to throw at it?), would not be worth the effort.
22. Re:Benefits of DNSSEC? by baerm · 2010-02-24 06:25 · Score: 1
  
  DNSSEC increases your maintenance costs (constant resigning even if no changes), makes DYNDNS servers harder to run, exposes your zone data, and helps DDOS attacks.
  Did I miss anything?
  The internet is currently not controlled by anyone but DNSSEC changes this by requiring every domain to have a traceable certificate. Look for greater centralized control by people saying "think of the children" and "this will only be used to combat terrorism". It also pretty much guarantees that new clients will be written to allow DNS lookups in both the "official" root zone and under alternative roots.
  I thought I should clear up some worry:
  1. DNS does not require DNSSEC. You can still have domains that work just like they do today that do not use the security extensions of DNSSEC. I.e., no more centralized control than you already have today with DNS.
  2. On the other hand, I'm not sure what control 'the man' (heh) would have that they don't currently have with DNS. For .com domains, a user goes to the .com servers to find out which DNS they should query for a zone. With DNSSEC, a user would still go to the .com servers to find out which DNS they should query for a zone and also get a fingerprint of the trust anchor for that zone. I don't see any extra control really.
  3. You can use DNSSEC without providing your public key to the upstream domain (like .com or .net). In this case, everyone that wants to use DNSSEC for your domain would have to get your trust anchor through a separate path. They wouldn't need the root TA to trust your zone, but they would have to figure out how to get your TA. This is a bit of a pain, but doable. And, of course, you can still just use DNS without the security extensions.
23. Re:Benefits of DNSSEC? by Intron · 2010-02-25 10:14 · Score: 1
  
  You are currently not required to use DNSSEC, however once it becomes widespread it will become required. The reason is that the victims of phishing (banks, credit card companies, etc.) will demand it. ISPs and Registrars will have no reason to disagree because they make money from domain registrations.
  The additional control is not over the lookup process, it is the centralized nature of the certificate and domain registration process. Good luck getting anyone to your site if you aren't trusted from root. I expect giant blinking warnings in Firefox and IE.
  
  --
  Intron: the portion of DNA which expresses nothing useful.
Re:The sticking point... by Abcd1234 · 2010-02-23 08:30 · Score: 3, Interesting

Say what you want about Comcast's customer policies, it's clear that they're almost as foresighted as Google when it comes to deploying next generation networking technologies, not only deploying DNSSEC, but also beginning an opt-in IPv6 transition project.
In short: Credit where credit is due. At least *someone* is looking to the future and working toward it.
Comcast DNS hijacking? by MobyDisk · 2010-02-23 08:40 · Score: 1

Are the Comcast DNS servers still redirecting mistyped domains to advertising servers?
1. Re:Comcast DNS hijacking? by bill_mcgonigle · 2010-02-23 08:58 · Score: 1
  
  Are the Comcast DNS servers still redirecting mistyped domains to advertising servers?
  no (at least not yet):
  $host noob.floop.zop 75.75.75.75 Using domain server: Name: 75.75.75.75 Address: 75.75.75.75#53 Aliases:
  Host noob.floop.zop not found: 3(NXDOMAIN)
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
2. Re:Comcast DNS hijacking? by ctg1701 · 2010-02-23 09:16 · Score: 5, Informative
  
  You should read our FAQ on the DNSSEC trial, particularly this section:
  http://www.dnssec.comcast.net/faq.htm#faq7
  What happens to Comcast Domain Helper, which offers DNS redirect services, when you fully implement DNSSEC?
  We believe that the web error redirection function of Comcast Domain Helper is technically incompatible with DNSSEC.
  Comcast has always known this and plans to turn off such redirection when DNSSEC is fully implemented.
  The DNSSEC trial servers we are announcing today do not have Comcast Domain Helper's DNS redirect functionality enabled.
  We plan to update our IETF Internet Draft on this subject, available at http://tools.ietf.org/html/draft-livingood-dns-redirect, to reflect this in the coming months.
3. Re:Comcast DNS hijacking? by bill_mcgonigle · 2010-02-23 09:25 · Score: 1
  
  Super, that's great news.
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
4. Re:Comcast DNS hijacking? by oasisbob · 2010-02-23 09:27 · Score: 2
  
  Chris,
  Thanks for taking the time to respond to slashdot comments. I truly hope Comcast keeps this up, and stays involved in community forums to support web standards and disseminate accurate technical information.
5. Re:Comcast DNS hijacking? by willoughby · 2010-02-23 09:47 · Score: 1
  
  You can turn that redirect off at any time by using the "opt-out" dns servers. Check out dns.comcast.net for more info.
6. Re:Comcast DNS hijacking? by wiredlogic · 2010-02-23 09:58 · Score: 1
  
  We believe that the web error redirection function of Comcast Domain Helper is technically incompatible with DNSSEC.
  It's technically incompatible with the internet in general. This is at least part of the reason why ISPs have been dragging their feet on deployment. Now if only the FCC or FTC had some balls and mandated a time frame for full support of DNSSEC. To bad that would require change in how the government operates.
  
  --
  I am becoming gerund, destroyer of verbs.
7. Re:Comcast DNS hijacking? by ctg1701 · 2010-02-23 11:34 · Score: 1
  
  Absolutely correct. We have offered opt-out DNS servers and even IPv6 resolvers for a while now. You now have another option with these Anycast DNS resolvers.
  Thanks
  Chris Griffiths
  Comcast
8. Re:Comcast DNS hijacking? by drkim · 2010-02-23 19:22 · Score: 1
  
  Thanks Chris, Kudos to Comcast for setting this up - and kudos to you for running the /. gauntlet!
Amplifier Attack by characterZer0 · 2010-02-23 08:43 · Score: 1

In case anybody else did not know what an amplifier attack is:
http://dnscurve.org/amplification.html

--
Go green: turn off your refrigerator.
Re:Benefits of DNSSEC? Anyone? by Jeng · 2010-02-23 08:46 · Score: 2

Good question.
I would mod you, but there is no "this needs an answer" mod.
I would mod an informative response to you informative, but there has been no informative responses at this point.

--
Don't know something? Look it up. Still don't know? Then ask.
Re:All three game consoles use PowerPC by lucifuge31337 · 2010-02-23 08:58 · Score: 1

In the context of a user name of Apple Acolyte, I'm not thinking the reference is to consoles.

--
Do not fold, spindle or mutilate.
Re:inconsistent message by Red+Flayer · 2010-02-23 09:03 · Score: 1

For your information:

People who sent chocolates and candles for birthdays also chose: ...
... Frederick's of Hollywood crotchless panties
KY Sensual Massage Lubricant
Their own ears

--
"Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
Re:Benefits of DNSSEC? Anyone? by Anonymous Coward · 2010-02-23 09:08 · Score: 1, Informative

Then you probably want to mod him "Underrated".
DNSSEC for the uninitiated by JackHoffman · 2010-02-23 09:09 · Score: 3, Informative

DNSSEC uses cryptographic signatures to authenticate DNS records and thereby prevents DNS spoofing. DNSSEC does not use encryption, only authentication, i.e. it provides trust, but not privacy.
DNS spoofing is an attack which can be used to redirect traffic to an attacker's server, where the attacker can intercept the traffic for a man in the middle attack or create an impostor service and harvest credentials. There are several countermeasures in plain DNS to prevent spoofing, but Dan Kaminsky's discovery of a fundamental spoofing vulnerability in the DNS protocol finally pushed DNSSEC out of the labs into the wild.
No more typo redirects! by csnydermvpsoft · 2010-02-23 09:22 · Score: 1

I noticed this exciting tidbit on their FAQ page:

What happens to Comcast Domain Helper, which offers DNS redirect services, when you fully implement DNSSEC?
* We believe that the web error redirection function of Comcast Domain Helper is technically incompatible with DNSSEC.
* Comcast has always known this and plans to turn off such redirection when DNSSEC is fully implemented.
* The DNSSEC trial servers we are announcing today do not have Comcast Domain Helper's DNS redirect functionality enabled.
* We plan to update our IETF Internet Draft on this subject, available at http://tools.ietf.org/html/draft-livingood-dns-redirect, to reflect this in the coming months.
1. Re:No more typo redirects! by ctg1701 · 2010-02-23 11:38 · Score: 2, Informative
  
  You noticed correctly. This will put an end to redirection as we deploy DNSSEC.
  Thanks
  Chris Griffiths
  Comcast
Is it really even useful? by joekrahn · 2010-02-23 09:41 · Score: 1

If someone can spoof DNS, why not just spoof routing? Now days, it is very common to connect through public wireless networks. You should not have to depend on the connection point not being hacked somehow. My understanding is that DNSSEC can supply host keys as well, so you can be sure that the host you actually connect to is the one defined by DNSSEC. Is it being implemented that way, or is it just being used to avoid DNS spoofing?
Also, are DNSSEC certificates designed in a way that generates profit for certificate providers? We don't want a system where the system is more oriented toward profit than security.
1. Re:Is it really even useful? by Pinky's+Brain · 2010-02-23 10:14 · Score: 1
  
  Well you can already do that through CAs of course, but once we have DNSSEC I expect RFC4985 to get implemented into browsers at which point yes ... the DNS server will be able to supply host keys. I expect the CAs are scared shitless at the prospect.
2. Re:Is it really even useful? by Pinky's+Brain · 2010-02-23 10:22 · Score: 1
  
  Damnit, wrong RFC ... I meant 4398.
3. Re:Is it really even useful? by Thanatiel · 2010-02-23 10:26 · Score: 2, Informative
  
  A DNSKEY is put at the top of the zone. (ie: yourdomain.tld. IN DNSKEY blablablablabla)
  Your server is supposed to be authenticated using some other mean. (ie: X509 certs for https servers & cie)
  Please also note that there are no "certificates" for DNSSEC, only very basic key pairs:
  _ Generate your zone-signing keypair (rsa/dsa) and/or your key-singing keypair (idem). Generate them for the algorithms used in the zone (hopefully NSEC3, else NSEC and its damn zone-walk issue)
  _ Put the public key record into your zone file and sign the zone (opt-out or not)
  _ Give the public key digest (or public key, depending on the TLD's policy) to the registrar (So it can obtain the DS record for your domain)
  Done: the DS on the TLD will be the link with your domain's key(s). Note that the TLD will be trusted because either the key is "known" either it is authenticated by '.' whose key will be "known".
  Note that the chain will only be complete when '.' will be signed.
  Viva paranoïa.
  
  --
  Irrelevant news and morons using moderation to mod down what they disagree on. 2018 resolution: so long.
Does anybody still use Comcast DNS? by Chemisor · 2010-02-23 09:57 · Score: 1

In my experience, Comcast's DNS servers go down all the time, and even when they work, they sometimes have unexplained "glitches" that render websites unusable. Every time I try using their servers, this happens, and I switch back to something more stable, like L3. I'd be surprized to find anybody but a total n00b still using Comcast's DNS.
1. Re:Does anybody still use Comcast DNS? by ctg1701 · 2010-02-23 11:41 · Score: 1
  
  Interesting observation and sorry you have not had the best experience, but we have tens of millions of subscribers using our DNS. If you are experiencing issues with DNS, check out http://dns.comcast.net for some tools and other items. You may also want to look at your router/home gateway and see if its doing DNS proxying. Check out RFC5625 for more information.
Re:The sticking point... by girlintraining · 2010-02-23 10:06 · Score: 1

it's clear that they're almost as foresighted as Google when it comes to deploying next generation networking technologies
Except Google didn't try to kill bittorrent, come under a congressional investigation, and spark a row with the FCC over its use of "next generation networking technology". And while we're at it, how next generation is a network with a 250GB bandwidth cap?

--
#fuckbeta #iamslashdot #dicemustdie
About time DNS was made more secure by physburn · 2010-02-23 10:09 · Score: 1

DNS spooffing, and cases of DNS taking down large parts of the internet have been problems for years. This should have been done years ago.
---
Computer Security Feed @ Feed Distiller
Re:The sticking point... by Abcd1234 · 2010-02-23 12:09 · Score: 1

Except Google didn't try to kill bittorrent, come under a congressional investigation, and spark a row with the FCC over its use of "next generation networking technology". And while we're at it, how next generation is a network with a 250GB bandwidth cap?
Uhuh... and that disproves my point how, exactly?
The simple fact is that Comcast is rolling out next-gen technologies for the Internet before anyone else. Now, you may not like how they're trying to manage the bandwidth in their backhaul network, but that's an entirely separate issue.
Put another way, yes, believe it or not, some companies can do bad things *and* good things! Wow! What a crazy idea!
So please, take your zealotry elsewhere, as it's at best tangential, and quite frankly, I'm not interested.
Makes me want to switch back, $29.99/month too by jroysdon · 2010-02-23 14:54 · Score: 1

Just saw an add for $29.99/month Comcast internet + cable (probably just broadcast, dunno) for 1 year. I think I cancelled my service too soon though (just last month). How long do I have to be "not a customer" to be a "new customer" ? Hmm, and IPv6 native service isn't that far away either. I'll probably switch back.
1. Re:Makes me want to switch back, $29.99/month too by Eightbitgnosis · 2010-02-23 16:28 · Score: 1
  
  If you live with anyone else they can take the bill under their name and just cycle through the next promotion period
Improve your server availability too, Comcast... by runswithd6s · 2010-02-23 17:59 · Score: 1

I would rather see Comcast improve their DNS server availability first, or at least in addition. For the last three months, I've turned to using another DNS provider because Comcast sees fit to run nightly maintenance on their servers sometime after 01:30 CST. Rarely has connection to the internet been compromised, rather to the DNS servers themselves. If they're using load-balancing hardware, I'm not seeing it as an end-user. Hopefully they can piggy-back a reliable high-availability architecture in addition to DNSSEC...

--
assert(expired(knowledge)); /* core dump */
Canadians have access to national DNSSEC trial by bretty · 2010-02-23 18:57 · Score: 1

The Canadian Internet Registration Authority (CIRA) "has committed to the full deployment of DNSSEC, the security extensions for DNS, and has been conducting extensive research and analysis into the technical and operational impact of signing the dot-ca (.ca) zone file. The roll-out is anticipated in the later part of 2010."
CIRA is already providing a DNSSEC test bed for those interested in signing their own dot-ca name or interacting with a name server serving the signed dot-ca zone file.
for details see https://registrants.cira.ca/dnssec/login
hi by nehaaworld · 2010-02-23 22:05 · Score: 1

That is one of the greatest things ever. http://www.mytwitteradder.com/
Sloooooooooow by sictransitgloriacfa · 2010-02-23 23:19 · Score: 1

I use Comcast and I've noticed DNS has been damned slow the last few days. Maybe this is why?
DNSSEC Flaws Confirmed -- Avoid DNSSEC validation by deananderson · 2010-02-24 09:57 · Score: 1

DNSSEC Cache Poisoning has been confirmed just as I described. Note that many people are now advising to turn off DNSSEC validation.
Most officially, I discussed it in my DNSSEC NTIA comments:
http://www.ntia.doc.gov/dns/comments/comment027.pdf
in the section on Cache Poisoning. Notably, Vixie et al disputed
this when discussed on DNSOP and namedroppers. Guess they were wrong
again.
If you want to engage in honest uncensored discussion of DNS issues,
subscribe to dnsop-honest or namedroppers-honest through the interface
at lists.iadl.org
[*] See DNSSEC cache poisoning links contained in
http://lists.iadl.org/pipermail/namedroppers-honest/2010-January/000074.html
The IETF has known of these problems for a long time, and silenced me
to keep these problems quiet.
Vixie and the IETF have known about the DNSSEC Cache Poisoning problem
and other DNSSEC problems for a number of years, but they have covered
it up by threatening and silencing critics. Inquiry reveals that DNSSEC
is a scam that threatens the stability of the Internet.
Please be sure to credit me with discovering the DNSSEC flaws. And
please forward this message widely.