Slashdot Mirror

← Back to Stories (view on slashdot.org)

Comcast Launches First Public US Trial of DNSSEC

Posted by kdawson on from the am-who-i-am-because-i-say-so dept.

cryan7755 and netbuzz both sent along a NetworkWorld story on Comcast's public test deployment of DNSSEC. Here is the company's blog post announcing the trial. "Comcast this morning announced what is believed to be the first public test deployment of DNS Security Extensions. The company says it has deployed DNSSEC throughout its nationwide network and will immediately make validating servers available to customers. In addition, Comcast said it would digitally sign all of its own domain names using DNSSEC by early next year. 'There is often talk about a chicken-and-egg sort of problem with DNSSEC. People don’t want to sign their own domains with DNSSEC until people are validating signatures,' says Jason Livingood, Executive Director of Internet Systems Engineering at Comcast. 'We want to explain how we as an ISP have a roadmap for validating signatures with DNSSEC.'"

7 of 100 comments (clear)

  1. Can use 75.75.75.75 externally by vlm · · Score: 4, Informative

    The most interesting part of the article didn't make the summary...

    "Opt-in by changing your DNS server IP addresses to 75.75.75.75 and 75.75.76.76 (we'll be adding IPv6 addresses soon)."

    75.75.75.75 will answer outside of the comcast network... so I can use it to test DNS entries. (Or presumably someone could use it in an amplifier attack)

    --
    "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
  2. Re:The sticking point... by Abcd1234 · · Score: 3, Interesting

    Say what you want about Comcast's customer policies, it's clear that they're almost as foresighted as Google when it comes to deploying next generation networking technologies, not only deploying DNSSEC, but also beginning an opt-in IPv6 transition project.

    In short: Credit where credit is due. At least *someone* is looking to the future and working toward it.

  3. DNSSEC for the uninitiated by JackHoffman · · Score: 3, Informative

    DNSSEC uses cryptographic signatures to authenticate DNS records and thereby prevents DNS spoofing. DNSSEC does not use encryption, only authentication, i.e. it provides trust, but not privacy.

    DNS spoofing is an attack which can be used to redirect traffic to an attacker's server, where the attacker can intercept the traffic for a man in the middle attack or create an impostor service and harvest credentials. There are several countermeasures in plain DNS to prevent spoofing, but Dan Kaminsky's discovery of a fundamental spoofing vulnerability in the DNS protocol finally pushed DNSSEC out of the labs into the wild.

  4. Re:Comcast DNS hijacking? by ctg1701 · · Score: 5, Informative

    You should read our FAQ on the DNSSEC trial, particularly this section:

    http://www.dnssec.comcast.net/faq.htm#faq7

    What happens to Comcast Domain Helper, which offers DNS redirect services, when you fully implement DNSSEC?
    We believe that the web error redirection function of Comcast Domain Helper is technically incompatible with DNSSEC.
    Comcast has always known this and plans to turn off such redirection when DNSSEC is fully implemented.
    The DNSSEC trial servers we are announcing today do not have Comcast Domain Helper's DNS redirect functionality enabled.
    We plan to update our IETF Internet Draft on this subject, available at http://tools.ietf.org/html/draft-livingood-dns-redirect, to reflect this in the coming months.

  5. Re:umm. by oasisbob · · Score: 4, Interesting

    Probably because they aren't rebranding their corporate entity.

    Also, if you think this is the first cool thing Comcast has done in support of the internet, you're dead wrong. They have some very talented and involved engineers working hard on IPv6, publishing IETF drafts on IPv6 transition strategies, making nice after their BitTorrent escapades, etc.

    Say what you will about their business practices, customer service, reliability, whatever... But when it comes to IPv6 and being involved in the technical community, they're kicking ass and taking names.

  6. Re:Err, but .COM is not valid for a while by ctg1701 · · Score: 4, Interesting

    The point is testing this on smaller TLD. We have been working with .ORG and other TLDs to test DNSSEC for a while now. When the time comes for a signed root and .COM and .NET signed, we will be ready.

    Thanks

    Chris Griffiths
    Comcast

  7. Re:Err, but .COM is not valid for a while by Eil · · Score: 3, Funny

    Dammit Chris, it's bad enough that your company is doing good things for the Internet like early IPv6 and DNSSEC adoption. Now you have the gall to come onto my Slashdot with your polite and informative answers. It's really starting to threaten my rage-induced perception of Comcast as World's Most Evil Cable Company and that's not something I'll give up without a fight!