Comcast DNSSEC Goes Live

← Back to Stories (view on slashdot.org)

Posted by Soulskill on Tuesday January 10, 2012 @10:53AM from the ahead-of-expectations dept.

An anonymous reader writes "In a blog post, Comcast's Jason Livingood has announced that Comcast has signed all of its (5000+) domains in addition to having all of its customers using DNSSEC-validating resolvers. He adds, 'Now that nearly 20 million households in the U.S. are able to use DNSSEC, we feel it is an important time to urge major domain owners, especially commerce and banking-related sites, to begin signing their domain names.'"

165 comments

Min score:

Reason:

Sort:

How about going back to flat-rate data? by sethstorm · 2012-01-10 10:56 · Score: 0, Offtopic

Nice, one can get to their absurd caps that much faster. Get rid of the caps and perhaps there might be something worth talking about.
DNSSEC is fine by itself, but it is only a distraction as implemented by Comcast.

--
Twitter supports and protects racists - by smearing their critics with the "Hate Speech" label.
1. Re:How about going back to flat-rate data? by DanTheStone · 2012-01-10 11:00 · Score: 2, Insightful
  
  Are you really getting anywhere near 250 GB of use per month? I know use tends to grow over time, but we use ours constantly and haven't hit over 80 GB or so in a month. And how much additional usage do you really think DNSSEC will generate for an end-user?
2. Re:How about going back to flat-rate data? by wolrahnaes · 2012-01-10 11:10 · Score: 2, Insightful
  
  I know I'm a heavy user, but 700+GB a month is not unusual for me and many months I've exceeded 1TB. 250GB is a good cap for an entry-level plan, but it's hilariously low when DOCSIS 3 speeds are in play.
  
  --
  I used to get high on life, but I developed a tolerance. Now I need something stronger.
3. Re:How about going back to flat-rate data? by Anonymous Coward · 2012-01-10 11:14 · Score: 0, Troll
  
  Quit pirating 1/2 the content of Hollywood and you'll come under the cap.
4. Re:How about going back to flat-rate data? by hawguy · 2012-01-10 11:21 · Score: 3, Informative
  
  I know I'm a heavy user, but 700+GB a month is not unusual for me and many months I've exceeded 1TB. 250GB is a good cap for an entry-level plan, but it's hilariously low when DOCSIS 3 speeds are in play.
  What do you download that exceeds 700+GB? That's 25GB/day, which seems like an awful lot of data.
  My household watches several hours of Netflix a day (we have no cable TV and watch Netflix streaming TV shows & movies), and as far as I know, we've never hit our Comcast cap.
5. Re:How about going back to flat-rate data? by Xoltri · 2012-01-10 11:27 · Score: 4, Funny
  
  Probably high definition Japanese porn, which is ironic since it's blurred out anyway.
  
  --
  -Xoltri
6. Re:How about going back to flat-rate data? by Dyinobal · 2012-01-10 11:28 · Score: 2
  
  Ever hear of High definition porn? Silly I know but porn sites are typically the leaders, when it comes to streaming content quality. You can practically count the ingrown hairs, from a pornstars Brazilian wax.
7. Re:How about going back to flat-rate data? by Dan667 · 2012-01-10 11:30 · Score: 3, Informative
  
  if you bought any ridiculously cheap games from Valve's Steam service over the holidays you could hit that without even spending $20.
8. Re:How about going back to flat-rate data? by Anonymous Coward · 2012-01-10 11:34 · Score: 1
  
  That's always helpful. Accuse those that use more bandwidth than you of pirating because there is no conceivably legitamite way someone could use that in a month. That's always helpful.
9. Re:How about going back to flat-rate data? by hawguy · 2012-01-10 11:36 · Score: 3, Funny
  
  Ever hear of High definition porn? Silly I know but porn sites are typically the leaders, when it comes to streaming content quality. You can practically count the ingrown hairs, from a pornstars Brazilian wax.
  Hey, I grew up in the day of ASCII porn that was printed out on 132 column green-bar paper - I'd probably be appalled at what I could see in High Def video porn. And based on your comment, it does sound appalling.
10. Re:How about going back to flat-rate data? by Anthony+Mouse · 2012-01-10 11:41 · Score: 5, Insightful
  
  Nice, one can get to their absurd caps that much faster. Get rid of the caps and perhaps there might be something worth talking about.
  DNSSEC is fine by itself, but it is only a distraction as implemented by Comcast.
  Troll rating: 8/10. It was a good, subtle effort. You get people off topic, since data caps are highly contentious and Comcast is unpopular so that will gather several responses, and extra points for getting the first post so that no one with an on-topic post can precede you. In addition to that, you picked a topic that might otherwise have led somewhere productive, because of the tie in between DNSSEC and SOPA (which is an important, relevant, and time-sensitive topic at this point). You may wish to apply for remuneration with pro-SOPA entities if you have not done so already, as they are known to pay compensation for such efforts.
11. Re:How about going back to flat-rate data? by Sir_Eptishous · 2012-01-10 11:43 · Score: 0
  
  Mod WAAAAYYYY UP!!!!
  
  --
  We play the game with the bravery of being out of range
12. Re:How about going back to flat-rate data? by Zakabog · 2012-01-10 11:57 · Score: 1
  
  250GB / month is a constant speed of a little under 100KB/sec. I use more bandwidth than that just running a VPN to a few computers in the office. While I may be far from the average user, I'm sure there's a Comcast user out there with a legitimate reason to use over 250GB / month.
13. Re:How about going back to flat-rate data? by letherial · 2012-01-10 12:29 · Score: 1
  
  he cant dream? well then again, with some games...250GB game may turn out to be the dumbest, longest game ever...EA presents 'a waste of space'.
14. Re:How about going back to flat-rate data? by Anonymous Coward · 2012-01-10 12:32 · Score: 0
  
  How is this informative? It's blatantly wrong!
15. Re:How about going back to flat-rate data? by stickyboot · 2012-01-10 12:36 · Score: 1
  
  You apparently do not understand the purpose of the internet. Data caps are purely a profit mechanism. The fundamental purpose of the internet is to send data cheaply to any any other point on the network. Implementing arbitrary data caps cripples its ability to do that.
16. Re:How about going back to flat-rate data? by hedwards · 2012-01-10 12:46 · Score: 1
  
  Except that caps are typically up and down. Personally, I've used nearly 300gb in a single month just on crashplan.
17. Re:How about going back to flat-rate data? by hedwards · 2012-01-10 12:47 · Score: 3, Insightful
  
  Not quite, data caps are there so that ISPs don't have to have the bandwidth that they promise in their ads. There's something really wrong when a company can advertise something and then modify it to be something completely different via fine print that might not even be legible in the ad.
18. Re:How about going back to flat-rate data? by Anonymous Coward · 2012-01-10 12:52 · Score: 1
  
  2.2 GB per hour (assuming HD + 5.1 audio) x 4 hours per day x 30 days per cycle = 264 GB for neflix alone.
19. Re:How about going back to flat-rate data? by Billly+Gates · 2012-01-10 13:01 · Score: 1
  
  Is there really a tie in mechanism with DNSSEC?
  Not to sound cynical, but DNS poisoning is a very real problem that I am surprised hackers have not succeeded in doing yet. For the record I hate Comcast and I am in no way defending htem. When I used to play WOW the users who always lagged or were DCed were comcast customers. Reliability is a joke. ... back to the topic DNSSEC is just encrypted DNS lookups to prevent man in the middle attacks and is used in many institutions such as banks and militaries. Hairfeet who is a top poster on /, uses Commodo Dragon as his browser simply because it uses DNSSEC to its own secure DNS servers that filter out malware domains.
  I use OpenDNS as it is simple and easy to use on my computer and filters bad domains. However, it is still vulnerable to man in the middle attacks because it is not encrypted. I would prefer DNSSEC if I could actually do it.
  
  --
  http://saveie6.com/
20. Re:How about going back to flat-rate data? by OnlineAlias · 2012-01-10 13:12 · Score: 2
  
  No no, its great.
21. Re:How about going back to flat-rate data? by blackraven14250 · 2012-01-10 13:20 · Score: 1, Informative
  
  It's an exaggeration, but there were massive sales that meant you could fairly easily hit 250GB if you bought a few of the games that were discounted 50%+
22. Re:How about going back to flat-rate data? by Anonymous Coward · 2012-01-10 13:27 · Score: 0
  
  No, their isn't something wrong. You are upset because you aren't getting what you want for the price you want. Part of the problem is that many people simply cannot understand what the exact definition of the service means. Figuring out that a 20Mbps service is much faster than 56k modem is already pushing many people's technical understanding, this is what they advertise with phrases like "Watch movies instantly".
23. Re:How about going back to flat-rate data? by scubamage · 2012-01-10 13:56 · Score: 1
  
  No, the fundamental purpose of the internet is to distribute information to any point of the world, and outside of where the bomb dropped, the system work in the event of a nuclear war. In its outset, cheap was no part of the equation, its just so commoditized and ubiquitous now that there is an expectation.
24. Re:How about going back to flat-rate data? by Anthony+Mouse · 2012-01-10 14:03 · Score: 5, Insightful
  
  Is there really a tie in mechanism with DNSSEC?
  It is widely understood that SOPA will break DNSSEC, because it requires intermediaries to modify DNS responses, which looks to DNSSEC like a man in the middle attack (because it is one).
25. Re:How about going back to flat-rate data? by Nemyst · 2012-01-10 14:12 · Score: 1
  
  I know my (generally restrictive, but big in Canada) 120gb cap forced me to stop buying games on Steam as I'm nearly through the cap and I still have a week to go. LA Noire just wouldn't have fit in what I had left.
26. Re:How about going back to flat-rate data? by scdeimos · 2012-01-10 14:26 · Score: 1
  
  I used over 12.5GB in a few hours just watching some of TotalHalibut's "WTF is...[Game]" videos on YouTube. I'm sure 250 GB in a month would be a cinch.
27. Re:How about going back to flat-rate data? by Anonymous Coward · 2012-01-10 14:41 · Score: 0
  
  So that "blurring" is like replacing certain HD bits with those ascii graphics.
  Wouldn't that defeat the purpose of porn video? Guess someone wants to revive porn radio. (Did that ever exist?)
28. Re:How about going back to flat-rate data? by Socialism+is+win! · 2012-01-10 14:56 · Score: 0
  
  Once the revolution has been prosecuted, The People's Revolutionary Council on Data Networking will ensure that all data caps are applied equally.
  
  --
  You say potato, I say produce of The People's Collective Farm
29. Re:How about going back to flat-rate data? by MechaStreisand · 2012-01-10 16:25 · Score: 2
  
  That doesn't seem like it breaks DNSSEC so much as DNSSEC exposes such attacks for what they are.
  
  --
  Disclaimer: IANAL. This post is, however, legal advice, and creates an attorney-client relationship.
30. Re:How about going back to flat-rate data? by CAIMLAS · 2012-01-10 16:47 · Score: 1
  
  Meh, 250GB is still a lot for a month.
  Consider that a decent self-ripped DVD is only around 2GB, and a good blueray around 8GB. That's around 2 hours of high definition video streaming per day, for a month, with a 250GB allocation.
  These days, games are the big consumers of bandwidth, I'd imagine. Spend $30 on cheap games on Steam and you can eat through that 250GB pretty quickly.
  
  --
  ~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
31. Re:How about going back to flat-rate data? by Ihmhi · 2012-01-10 16:56 · Score: 2
  
  Just wanted to say, the prudent thing to do here is to buy the games anyway. You can pause the download and it sits in your Steam library as a game you own and you can download it after the next month comes around and your cap is reset.
  
  --
  Random Thoughts From A Diseased Mind (Not For Dummies)
32. Re:How about going back to flat-rate data? by Anonymous Coward · 2012-01-10 17:25 · Score: 0
  
  Yep, it's was called pay-per-view/skinimax back in the 90's.
  You could even pay extra to get the Video!
  (seriously, you could just go to the porn channels and listen to the un-obscured audio, even though the video was scrambled.)
33. Re:How about going back to flat-rate data? by Anthony+Mouse · 2012-01-10 17:31 · Score: 3, Informative
  
  exposes such attacks for what they are.
  It certainly does that, but it still breaks DNSSEC because it makes users expect DNSSEC failures under normal operation, which enables fraud because users will subsequently ignore future warnings. It further prevents client software developers from implementing countermeasures that would thwart a man in the middle attack since doing so would succeed just as well in bypassing the DNS blocking.
  For example, client software might be designed so that if a DNSSEC failure occurs, the client first tries all configured DNS servers to try to get a valid response. If any of the servers is outside the country, the blocking fails. If not, the client software might then try to act as its own recursive DNS server. (Clients are normally not supposed to do this because it would put extra load on the authoritative DNS servers, but clients are normally not supposed to encounter DNSSEC failures, and doing it only in that rare circumstance would almost certainly not cause serious performance issues.) If the authoritative DNS server is outside the country (which it would be for a 'rogue site') then the blocking fails.
  So either the law prohibits client software from being designed that way and the security benefits of DNSSEC are destroyed, or client software is designed to thwart a man in the middle attack and the law is a dead letter because the operators of intermediary DNS servers cannot prevent end users from receiving a true DNS response since an attempt to do so will only cause the client's DNSSEC implementation to detect and bypass the intermediary DNS server.
34. Re:How about going back to flat-rate data? by Anonymous Coward · 2012-01-10 18:32 · Score: 0
  
  Meh, 250GB is still a lot for a month.
  That's around 2 hours of high definition video streaming per day, for a month, with a 250GB allocation.
  Of course, if you share a household with family members, roommates, or guests, you're down to minutes a day instead of hours.
35. Re:How about going back to flat-rate data? by Anonymous Coward · 2012-01-10 19:19 · Score: 0
  
  The fundamental purpose of the internet is to send data cheaply
  No, that is completely incorrect. The fundamental purpose is to send the data reliably.
  
  Data caps are purely a profit mechanism.
  Yes, they are. What's your point? You're still paying less for your overage fees plus base service cost than it would take to pay for a dedicated bandwidth connection where you don't have to worry about caps, throttling, etc. Don't like caps? Quit going to the all-you-can-eat internet buffet then.
36. Re:How about going back to flat-rate data? by MechaStreisand · 2012-01-10 20:08 · Score: 2
  
  From what I've read, SOPA would indeed outlaw programs that circumvent its domain theft. It seems like SOPA is going to do nothing but destroy.
  
  The best possible outcome to hope for is for the rest of the world to develop and use DNSSEC and other technologies, and leave the US behind its great firewall. I'd say that I'm glad that I live in Canada, but our ruling Conservatives are pure evil and do whatever the US Government tells them to (and I say this as a semi-conservative myself), so eventually Canada will be just as bad off.
  
  Know of any countries where the politicians aren't bought by special interests and where the country values freedom? Maybe Switzerland. I wonder if they take in immigrants.
  
  --
  Disclaimer: IANAL. This post is, however, legal advice, and creates an attorney-client relationship.
37. Re:How about going back to flat-rate data? by hedwards · 2012-01-10 20:09 · Score: 1
  
  I'm upset because they're engaging in fraudulent advertising and most people aren't smart enough to realize it. I just want what they promised when I was looking for an ISP, no more no less. If they can't provide what it is that they're advertising then they sure as hell shouldn't be advertising it.
  And as for your quip about price, my ISP offers much faster connections for about what I'm paying in other parts of the country, I don't think bitching about the price is really unreasonable.
  Then again, you're either a troll or a Republican, in either case I doubt you have the brain cells to comprehend the situation.
38. Re:How about going back to flat-rate data? by ganjadude · 2012-01-10 20:17 · Score: 1
  
  why spend the money now and not have the game...just wait til you plan on downloading it
  
  --
  have you seen my sig? there are many others like it but none that are the same
39. Re:How about going back to flat-rate data? by Anonymous Coward · 2012-01-10 21:42 · Score: 0
  
  why spend the money now and not have the game...just wait til you plan on downloading it
  if you get 50%, 75% or 90% price reduction you usually save so much money that it might even be worth to buy another 10GB from your provider and still save money. If you buy at reduced price and wait for your cap to reset even better.
40. Re:How about going back to flat-rate data? by nhat11 · 2012-01-11 01:18 · Score: 1
  
  Seriously what are you downloading with 700+ GB a month? I do a lot of gaming, streaming, downloading, etc and I don't close to the cap.
41. Re:How about going back to flat-rate data? by Anonymous Coward · 2012-01-11 02:12 · Score: 0
  
  I hit my AT&T 150 EVERY MONTH.
  Netflix, wife, and children.
  Plus MLP is back on again, livestreams and synchtubing eat a fair sahre of my time.
42. Re:How about going back to flat-rate data? by Anonymous Coward · 2012-01-11 02:37 · Score: 0
  
  Or instead of leaving your country stand up and DO SOMETHING about it.
43. Re:How about going back to flat-rate data? by Kenshin · 2012-01-11 03:10 · Score: 1
  
  Some of us aren't perma-bachelors living in a basement paying for our own personal internet connection.
  We have 2 adults and 2 teens living in this house, and I doubt our 300 GB cap will be sufficient for long.
  
  --
  Does it make you happy you're so strange?
44. Re:How about going back to flat-rate data? by tepples · 2012-01-11 03:45 · Score: 1
  
  We have 2 adults and 2 teens living in this house, and I doubt our 300 GB cap will be sufficient for long.
  Then have each adult pay for one teen rather than having one adult pay for the other adult and both teens.
45. Re:How about going back to flat-rate data? by tepples · 2012-01-11 03:51 · Score: 1
  
  How can one DO SOMETHING when all five major television news outlets (ABC, CBS, CNN, Fox, and NBC) are owned by parent companies of motion picture studios with enough money to DO MORE about unDOing your SOMETHING?
46. Re:How about going back to flat-rate data? by tepples · 2012-01-11 04:06 · Score: 1
  
  [hairyfeet] who is a top poster on /, uses [Comodo] Dragon as his browser simply because it uses DNSSEC to its own secure DNS servers that filter out malware domains.
  Comodo Dragon also uses an end-run around the oft-repeated suggestion to use DNSSEC to replace CAs: any cert that isn't EV gets a warning page.
47. Re:How about going back to flat-rate data? by Anonymous Coward · 2012-01-11 04:16 · Score: 0
  
  ... back to the topic DNSSEC is just encrypted DNS lookups to prevent man in the middle attacks and is used in many institutions such as banks and militaries. Hairufeet who is a top poster on /, uses Commodo Dragon as his browser simply because it uses DNSSEC to its own secure DNS servers that filter out malware domains. I use OpenDNS as it is simple and easy to use on my computer and filters bad domains. However, it is still vulnerable to man in the middle attacks because it is not encrypted. I would prefer DNSSEC if I could actually do it.
  
  (bold's are mine)
  Two comments, mostly pedantic:
  DNSSEC is not encrypted it is signed (i.e. authenticated). The DNS info is in the clear, but you have some strong assurance it is accurate.
  If you are running a linux variant, it is pretty easy to run a DNSSEC aware DNS server on your own machine (I'd assume it's pretty simple on OSX and maybe even Windows, but I'm less familiar with those)
48. Re:How about going back to flat-rate data? by linuxwolf69 · 2012-01-11 04:27 · Score: 1
  
  Streaming HD netflix, Blockbuster, and Amazon videos on 3 computers at the same time can easily hit that, all 100% legal, and for roughly $30 average per month. That also does not take into account legal file trading (torrenting Linux OS distros), online gaming, with constant game updates and map downloads, or any other number of legal, and bandwidth intensive, applications.
49. Re:How about going back to flat-rate data? by Anonymous Coward · 2012-01-11 04:49 · Score: 0
  
  Straight ripped Blu-Rays (even with all the forced screens, menus, and extras removed) are easily in excess of 20 GB.
50. Re:How about going back to flat-rate data? by rubycodez · 2012-01-11 05:24 · Score: 1
  
  you are so funny. the fundamental purpose of the internet is to make money for its providers. Comcat, AT&T, Verizon, they don't make communications solutions or connectivity solutions, they make money. period. end of story.
51. Re:How about going back to flat-rate data? by rubycodez · 2012-01-11 05:26 · Score: 1
  
  no, tell the teens to get a fucking job and pay for their internet and cell use. this will help them later in life. I started working at age ten with lawn cutting, show shoveling, car washing, etc. to fund my electronics hobby. Even the "allowance" my parents gave me was for check list of weekly jobs.
52. Re:How about going back to flat-rate data? by tepples · 2012-01-11 05:39 · Score: 1
  
  I started working at age ten with lawn cutting, show shoveling, car washing, etc. to fund my electronics hobby.
  Once one of my cousins considered doing this, but it turned out that "we already have someone else doing this; thanks anyway." In such a situation, how do you recommend that a child in middle school or high school perform such work? Could you recommend a safe way for a child to commute to another neighborhood in order to perform those jobs there? I'm probably missing something fundamental; what is it?
53. Re:How about going back to flat-rate data? by Talderas · 2012-01-11 05:46 · Score: 1
  
  Sounds like some BS to me. If we take the 80GB as the average monthly usage that leaves 170GB worth of new games you just bought on steam with a 250GB cap. 6GB is on the higher end for most game though there are a few take come in around 10GB. Most of the 10+GB games are probably $50 in normal pricing on Steam and chances are most of those weren't much lower than 33% off with 50% off being the cap. I'd say it's probably a pretty safe assumption that you likely spent well over $500, if not $750, on games you downloaded just to hit 170GB of games.
  
  --
  "Lack of speed can be overcome. In the worst case by patience." --Znork
54. Re:How about going back to flat-rate data? by Kenshin · 2012-01-11 06:30 · Score: 1
  
  My point flew over your head.
  I'm saying that when you share an internet connection you naturally use more. Something barely understood by all the folks here who apparently live alone.
  
  --
  Does it make you happy you're so strange?
55. Re:How about going back to flat-rate data? by Anonymous Coward · 2012-01-11 07:34 · Score: 0
  
  Most of the 10+GB games are probably $50 in normal pricing on Steam and chances are most of those weren't much lower than 33% off with 50% off being the cap
  That could be 33% or 50% off an already low regular price, though. Some drop to $30 or even lower after a half-year.
  Let's see, Portal 1 + 2 was on sale for, what was it, $8? ~16 GB
  The ever-lovely Shogun 2 was on sale for 33% off of $30, making it around $20 for 15 GB
  Let's make the terrible assumption that we can extrapolate from here. We get $208 for 170 GB.
56. Re:How about going back to flat-rate data? by suutar · 2012-01-11 10:23 · Score: 1
  
  Not seeing how this helps, unless Comcast has a way of increasing the cap by spending more money that I haven't found?
57. Re:How about going back to flat-rate data? by wolrahnaes · 2012-01-11 14:09 · Score: 1
  
  No cable as well, so mostly Netflix, Hulu Plus, and usenet. Add in both my roommate and I having about a game a month Steam habit as well as random arcade games and DLC on our 360s and that accounts for the majority of it.
  We also work from home, so at least one of us is likely to be streaming either audio or video at pretty much any time between 9am and 1 am.
  
  --
  I used to get high on life, but I developed a tolerance. Now I need something stronger.
58. Re:How about going back to flat-rate data? by Ihmhi · 2012-01-11 16:14 · Score: 1
  
  why spend the money now and not have the game...just wait til you plan on downloading it
  So you can get the sale prices.
  
  --
  Random Thoughts From A Diseased Mind (Not For Dummies)
Just in time by Anonymous Coward · 2012-01-10 10:56 · Score: 5, Insightful

There won't be much point to this if SOPA / PIPA passes, requires DNS redirects, and bans circumvention.
1. Re:Just in time by girlintraining · 2012-01-10 11:17 · Score: 3, Informative
  
  Only DNS that is signed by your government overlords will be allowed. All other DNS will be shot, banninated from the internets, and subject to prosecution.
  There. DNSSEC has a point now with SOPA. :)
  
  --
  #fuckbeta #iamslashdot #dicemustdie
2. Re:Just in time by shentino · 2012-01-10 11:18 · Score: 1
  
  Can't the feds just order the registry to nuke the master record?
3. Re:Just in time by AvitarX · 2012-01-10 11:37 · Score: 1
  
  SOPA is backed by comcast too.
  
  --
  Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
4. Re:Just in time by Billly+Gates · 2012-01-10 13:05 · Score: 1
  
  If I recall DNSSEC is simply encrypted DNS lookups to prevent man in the middle attacks. It is not a COA or anything like that. Militaries from around the world use it and it is not a tracking mechanism no more than regular DNS.
  If OpenDNS had DNSSEC for free I would be estatic as I use OpenDNS on my computers at home to prevent known bad malware domains and recommend all slashdotters to use it.
  The extra security would be good as the government can look up NOA records with standard DNS anyway.
  
  --
  http://saveie6.com/
5. Re:Just in time by Reelin · 2012-01-10 13:13 · Score: 1
  
  So here's what's confusing to me, isn't Comcast in support of SOPA/PIPA? And isn't implementing DNSSEC under that plan one of the major issues with it? So wtf is going on here? It's like they're saying one thing and doing another.....
6. Re:Just in time by ImprovOmega · 2012-01-10 13:14 · Score: 4, Informative
  
  Signed, not encrypted. It's designed to protect data integrity, not confidentiality. It stops spoofing attacks basically, so that a rogue group can't redirect traffic intended for bofa.com, for example, to their own servers to do whatever evil with.
7. Re:Just in time by Phreakiture · 2012-01-11 01:26 · Score: 1
  
  Only if the registry is in the US. Mine is in the Cayman Islands.
  
  --
  www.wavefront-av.com
8. Re:Just in time by Anonymous Coward · 2012-01-11 07:02 · Score: 0
  
  I for one welcome our new DNS overlords.
DNSSEC by girlintraining · 2012-01-10 10:58 · Score: 4, Insightful

Yes, and for our next trick, we're going to disable end-users' ability to do their own DNS lookups to only our servers -or- selectively deny DNS lookups that have a destination outside the United States. You know... to stop people from getting around SOPA and other anti-piracy measures. YAY DNSSEC! /sarcasm.

--
#fuckbeta #iamslashdot #dicemustdie
1. Re:DNSSEC by StikyPad · 2012-01-10 11:14 · Score: 1
  
  SOPA breaks DNSSEC -- that's one of its main problems from a technological perspective. And there's no way to prevent someone from using another DNS server, or just a hosts file.
  
  --
  https://www.eff.org/https-everywhere
2. Re:DNSSEC by DigiShaman · 2012-01-10 11:20 · Score: 2
  
  Quite a few big companies use OpenDNS. If business and users get blocked from using a 3rd party DNS lookup providers, there will be hell to pay. Nothing sucks balls worse that being forced to use a shitty-ass DNS lookup server hosted by a shitty-ass ISP in the middle of nowhere. Hosted off an old Dell Dimension collecting dust in the corner someplace no doubt.
  
  --
  Life is not for the lazy.
3. Re:DNSSEC by girlintraining · 2012-01-10 11:26 · Score: 2
  
  SOPA breaks DNSSEC -- that's one of its main problems from a technological perspective.
  I hear this argument all the time. "Now we've got Criminal X! .. Oh wait, he's encrypted his drive with 1024 bit military grade encryption! It'll cost BILLIONS to crack the key! We're hosed." ... More likely it's "Huh. Drive's encrypted. Joey, get the hose."
  DNSSEC is no proof against the men with shotguns and a court order saying "You will remove this domain from your server... or else."
  If anything, DNSSEC makes SOPA more powerful because I can't just setup a rogue DNS server, change it to authoritative for that domain, and have it serve the IP address of that server out to its clients.
  
  --
  #fuckbeta #iamslashdot #dicemustdie
4. Re:DNSSEC by makomk · 2012-01-10 11:43 · Score: 1
  
  Guess who controls the DNSSEC trusted root key? That's right, an American organization.
5. Re:DNSSEC by jon3k · 2012-01-10 11:48 · Score: 2
  
  They can't outright block DNS traffic. They attempted to throttle traffic, not even block, and got their hand slapped. And when you start monkeying with traffic it gets a lot harder to fall back on Safe Harbor provisions of the DMCA, which can put them in a very precarious position.
6. Re:DNSSEC by Anthony+Mouse · 2012-01-10 11:52 · Score: 3, Insightful
  
  I hear this argument all the time. "Now we've got Criminal X! .. Oh wait, he's encrypted his drive with 1024 bit military grade encryption! It'll cost BILLIONS to crack the key! We're hosed." ... More likely it's "Huh. Drive's encrypted. Joey, get the hose."
  
  1) That is not even close to the same argument as the one being made.
  2) "Getting the hose" is unconstitutional. It may be that law enforcement does not see fit to follow the constitution, but in that case they have no need for the hose: They can just lock you up on false charges without ever reading the disk.
  
  DNSSEC is no proof against the men with shotguns and a court order saying "You will remove this domain from your server... or else."
  
  Removing the domain would break DNSSEC, since the removal would not be signed and the signing entity may not be subject to US jurisdiction (or may refuse on first amendment grounds etc.)
  More than that, the user can trivially work around the removal of the DNS entry merely by using a DNS server in another country. Effectively preventing the user from communicating with servers in other countries would severely break the internet, which is part of the problem that people are concerned about.
7. Re:DNSSEC by Wrath0fb0b · 2012-01-10 11:57 · Score: 1
  
  DNSSEC is no proof against the men with shotguns and a court order saying "You will remove this domain from your server... or else."
  Nor was it ever intended to be -- those sites (i.e. the ones within range of the Marshals) are already easy enough to deal with lawfully. The issue was when some guy in Kerbleckistan runs a server that you've got a court order against, you can't do much unless you've got the power to order DNS servers not to give out his IP or black him out of the BGs (with Marshals to back it up).
8. Re:DNSSEC by mcrbids · 2012-01-10 12:59 · Score: 1, Insightful
  
  Nothing sucks balls worse that being forced to use a shitty-ass DNS lookup server hosted by a shitty-ass ISP in the middle of nowhere.
  This is what we'd call a first world problem.... I can think of quite a few things more unpleasant than being forced to use a DNS server hosted out in the middle of nowhere...
  
  --
  I have no problem with your religion until you decide it's reason to deprive others of the truth.
9. Re:DNSSEC by girlintraining · 2012-01-10 13:06 · Score: 3, Insightful
  
  2) "Getting the hose" is unconstitutional. It may be that law enforcement does not see fit to follow the constitution, but in that case they have no need for the hose: They can just lock you up on false charges without ever reading the disk.
  No, haven't you heard? They're making legislation now to just have an ex-parte hearing and declare your citizenship void because you are "hostile" to the United States. Constitutional rights are only for US citizens, don'tchaknow.
  
  --
  #fuckbeta #iamslashdot #dicemustdie
10. Re:DNSSEC by Anonymous Coward · 2012-01-10 14:46 · Score: 0
  
  And there's no way to prevent someone from using another DNS server, or just a hosts file.
  I know we consider Comcast idiots, but I'm going to go out on a limb and assume that they know the IP addresses of their DNS servers and run firewalls. Limit the DNS ports to approved IPs and you've "magically" prevented someone from using another DNS server. Sure there are ways to get around it, but not in ways that most people will know.
  Yeah, hosts files are great replacements for a functioning DNS....
11. Re:DNSSEC by mrchaotica · 2012-01-10 15:09 · Score: 1
  
  Constitutional rights are only for US citizens, don'tchaknow.
  Except they're not... not that the Powers That Be would care.
  
  --
  "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
12. Re:DNSSEC by DigiShaman · 2012-01-10 17:00 · Score: 1
  
  Oh come on! This whole topic is a first world problem. But thanks for making me out to be detached from reality.
  
  --
  Life is not for the lazy.
13. Re:DNSSEC by sociocapitalist · 2012-01-10 21:38 · Score: 1
  
  Can do this today without DNSSEC...
  
  --
  blindly antisocialist = antisocial
14. Re:DNSSEC by ftobin · 2012-01-11 02:28 · Score: 1
  
  I was under the impression they were injecting TCP RST packets, not throttling. Big difference.
15. Re:DNSSEC by KiloByte · 2012-01-11 02:51 · Score: 1
  
  there's no way to prevent someone from using another DNS server
  for prot in tcp udp; do iptables -t nat -A PREROUTING -i lan0 -p $prot --dport 53 -j REDIRECT;done
  Use -j DNAT if the DNS server is on another box.
  Quite a bunch of ISPs do that already.
  
  --
  The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
16. Re:DNSSEC by KiloByte · 2012-01-11 02:53 · Score: 1
  
  People in Egypt or Syria suffer from internet censorship just the same, and for them communication is a matter of freedom or slavery. Not a first world problem in my book.
  
  --
  The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
17. Re:DNSSEC by KiloByte · 2012-01-11 02:55 · Score: 1
  
  That's why they want to replace "merely" oppressive law with few upsides like the DMCA with something downright ridiculous that allows censorship with impunity.
  
  --
  The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
18. Re:DNSSEC by jon3k · 2012-01-11 13:13 · Score: 1
  
  http://www.dslreports.com/shownews/New-Comcast-Throttling-System-100-Online-100015
  
  According to Comcast's filings (pdf) with the FCC, they've deployed new hardware and software close to the company's Regional Network Routers (RNRs). This hardware will flip a user from the standard "Priority Best-Effort" traffic (PBE) to lower quality of service (QoS) "Best-Effort" traffic (BE) for fifteen minutes if they're a major reason congestion exists.
19. Re:DNSSEC by CAPSLOCK2000 · 2012-01-12 02:13 · Score: 1
  
  Removing the domain would break DNSSEC, since the removal would not be signed and the signing entity may not be subject to US jurisdiction (or may refuse on first amendment grounds etc.)
  More than that, the user can trivially work around the removal of the DNS entry merely by using a DNS server in another country. Effectively preventing the user from communicating with servers in other countries would severely break the internet, which is part of the problem that people are concerned about.
  In what way does changing 1 record invalidate the entire zone? Nobody tranfers entire zones. You just query for the records that you need. If they are modified the DNSSEC will fail for those records, but I can't see how the rest of the zone would be affected.
20. Re:DNSSEC by Anthony+Mouse · 2012-01-12 03:00 · Score: 1
  
  In what way does changing 1 record invalidate the entire zone? Nobody tranfers entire zones.
  First of all, the capability for zone transfers exists, and some people do it.
  But what does that have to do with anything anyway? The problem exists just as much with even a single record. The problem is that the only secure response to a DNSSEC failure must be to raise hell: Warn the user that their DNS server is compromised and that they must change it immediately, take expensive countermeasures such as retrying against a published list of arbitrary alternative DNS servers or going straight to the root servers, etc. Effective countermeasures will be just as effective at defeating the block as at defeating fraudsters. For that reason the bill prohibits such countermeasures, which enables fraud.
21. Re:DNSSEC by CAPSLOCK2000 · 2012-01-12 03:44 · Score: 1
  
  In what way does changing 1 record invalidate the entire zone? Nobody tranfers entire zones.
  First of all, the capability for zone transfers exists, and some people do it.
  But no end-user ever does. The only people that actually do this are the DNS-adminstrators themselves.
  
  But what does that have to do with anything anyway? The problem exists just as much with even a single record.
  As long as you don't ask for the broken records you will not be affected.
  
  The problem is that the only secure response to a DNSSEC failure must be to raise hell: Warn the user that their DNS server is compromised and that they must change it immediately, take expensive countermeasures such as retrying against a published list of arbitrary alternative DNS servers or going straight to the root servers, etc. Effective countermeasures will be just as effective at defeating the block as at defeating fraudsters. For that reason the bill prohibits such countermeasures, which enables fraud.
  End-users don't run DNS-servers, they use a server provided by their provider. If such a server detects a failed DNSSEC-request it will just ignore it completly. End-users do not validate DNSSEC. That could and should change, but will take many years to complete. Right now there is no usefull way to inform the user of a DNSSEC-problem.
22. Re:DNSSEC by Anthony+Mouse · 2012-01-12 04:04 · Score: 1
  
  But no end-user ever does. The only people that actually do this are the DNS-adminstrators themselves.
  How is that a reason to ignore the problem?
  
  As long as you don't ask for the broken records you will not be affected.
  Nonsense.
  Let's come back from this for a second and realize what DNSSEC is for. Let's suppose there is an attacker who compromises a webserver, say www2.example.com. It turns out that it's the failover backup for www.example.com, and nobody will use www2 as long as www.example.com is available. So in order to do some damage, the attacker has to divert people from www.example.com. DNS poisoning is a traditional way that attackers do this: If you make www not resolve, clients configured to automatically retry with www2 will do so. So the attacker compromises some upstream DNS server and either deletes the record for www.example.com or makes it point to the compromised server rather than the uncompromised one. DNSSEC prevents this, because the NXDOMAIN record won't be signed and so the next DNS server will detect the attempted fraud and retry against some alternative upstream DNS server or go direct to the authoritative server for that domain. If you mandate blocking by legislation, the DNS server can't do this anymore, because if it does, it will make the blocking ineffective, which the legislation prohibits. So the attacker diverts unsuspecting users to the compromised server, because the user's DNS server is prohibited from taking effective countermeasures against the DNSSEC failure.
  
  End-users do not validate DNSSEC. That could and should change, but will take many years to complete.
  
  That's the problem. The bill would prohibit the things that client software would have to do in order to make DNSSEC effective as a security measure.
23. Re:DNSSEC by CAPSLOCK2000 · 2012-01-12 04:40 · Score: 1
  
  But no end-user ever does. The only people that actually do this are the DNS-adminstrators themselves.
  How is that a reason to ignore the problem?
  DNS-administrators have direct access to their own DNS-servers and can work around the problem. In fact, many DNS-servers prohibit zone-tranfers. While I realize that it is a very usefull feature, it is not something that interferes with consumer-grade internet.
  We are talking about a DNS-block targeted at home-users, enforced at the leaves of the DNS-network.
  I do not like it, but I fail to see how consumers are effected other than not being able to resolve certain addresses.
  
  As long as you don't ask for the broken records you will not be affected.
  Nonsense.
  Let's come back from this for a second and realize what DNSSEC is for. Let's suppose there is an attacker who compromises a webserver, say www2.example.com. It turns out that it's the failover backup for www.example.com, and nobody will use www2 as long as www.example.com is available. So in order to do some damage, the attacker has to divert people from www.example.com. DNS poisoning is a traditional way that attackers do this: If you make www not resolve, clients configured to automatically retry with www2 will do so. So the attacker compromises some upstream DNS server and either deletes the record for www.example.com or makes it point to the compromised server rather than the uncompromised one. DNSSEC prevents this, because the NXDOMAIN record won't be signed and so the next DNS server will detect the attempted fraud and retry against some alternative upstream DNS server or go direct to the authoritative server for that domain. If you mandate blocking by legislation, the DNS server can't do this anymore, because if it does, it will make the blocking ineffective, which the legislation prohibits. So the attacker diverts unsuspecting users to the compromised server, because the user's DNS server is prohibited from taking effective countermeasures against the DNSSEC failure.
  All this is still possible if you provide a blacklist to the DNS-resolver of blocked domains that should not be worked around. It's not very nice from a technical point of view, but it's certainly feasible.
  SOPA and DNSSEC are not mutually exclusive. They might lead to draconion rules that are hard to enforce, but when has that ever stopped anybody?
24. Re:DNSSEC by Anthony+Mouse · 2012-01-12 06:20 · Score: 1
  
  DNS-administrators have direct access to their own DNS-servers and can work around the problem.
  
  You might as well say "users have direct access to their own computers and can work around the problem." How, exactly? By ignoring DNSSEC failures, thereby defeating DNSSEC because anyone can delete a record and everyone else will just assume it was SOPA?
  
  All this is still possible if you provide a blacklist to the DNS-resolver of blocked domains that should not be worked around. It's not very nice from a technical point of view, but it's certainly feasible.
  Only if you completely ignore scalability. DNS caching only works at all because it's O(n) on the number of transactions the specific DNS server processes rather than O(n) on the number of domains in the entire DNS. You start throwing in memory requirements that are O(n) on the number of blocked domains and scalability is totally destroyed. YouTube receives thousands of DMCA takedown notices an hour. Adding anything even vaguely resembling that number of domains to a block list every hour would quickly result in a list that exceeds the memory installed in the large majority of small DNS servers in operation.
  On top of that, if you create a real time publicly available list of blocked domains, you make it totally trivial for pirates to completely bypass the system: Every time a new domain is added to the list, the pirates can automatically add it to MAFIAAFire (or pick your favorite redirector) just by looking up the newly-added domain in a non-US DNS server and the block is bypassed before it even propagates to the majority of DNS servers. The "list of blocked domains" immediately becomes a "list of blocked domains, including their IP addresses" -- you might as well create a directory for "rogue websites" and publish it in the New York Times.
25. Re:DNSSEC by ftobin · 2012-01-12 11:29 · Score: 1
  
  Thanks for the link and information; it's good to know that they're doing throttling in a more intelligent manner. You originally said that Comcast's throttling caused them to "get their hand slapped". Were you trying to get across that this "hand slapping" was done during the TCP RST injection era, or during the QoS modification era?
How can I tell? by Anonymous Coward · 2012-01-10 11:01 · Score: 0

If I go to a website that has DNSSEC, how do I know? I just went to www.comcast.com, and there is no indication or message that DNSSEC is active.
1. Re:How can I tell? by icebraining · 2012-01-10 11:36 · Score: 1
  
  Only if the browser tells you, and I think they don't, at least for now. There's an addon for Firefox, though.
  
  --
  Dilbert RSS feed
2. Re:How can I tell? by scdeimos · 2012-01-10 14:49 · Score: 1
  
  How well does that work with servers behind round-robin DNS? Or isn't that possible with DNSSEC?
  Also funny that it says www.comcast.com is *not* secured by DNSSEC, contrary to TFA.
3. Re:How can I tell? by Anonymous Coward · 2012-01-10 14:55 · Score: 0
  
  If you want to know, you can get a Firefox addon that will add either a greyed out key (DNSSEC not supported for this DNS name) a green key (verified by DNSSEC) or a yellow key (DNSSEC might work for this domain, but your machine isn't configured to enable it).
  Without the add-on, if DNSSEC is working for you, it will just work, protecting those domains which have it enabled.
SOPA and DNSSEC? by Tynin · 2012-01-10 11:02 · Score: 1

I guess I'm not sure how SOPA and DNSSEC overlap, could someone explain it in a couple of sentences? Does DNSSEC hinder or help? I would assume hinder SOPA... I'm going to research more, but was hoping to get a quick brief from someone knowledged...
1. Re:SOPA and DNSSEC? by girlintraining · 2012-01-10 11:13 · Score: 5, Informative
  
  I guess I'm not sure how SOPA and DNSSEC overlap, could someone explain it in a couple of sentences? Does DNSSEC hinder or help? I would assume hinder SOPA... I'm going to research more, but was hoping to get a quick brief from someone knowledged...
  Well, let's try a car analogy. Before DNSSEC, anyone could put up a road sign, and you'd have no way of knowing whether it would send you the right way or not. There were a few publicized cases of cars going down the wrong road, a few pileups, but most people got to/from work everyday.
  However, some very smart people were worried some other smart people could swap the road signs. So they added smaller digital tags on the back of the signs that had a special number encoded in it and the name of the municipality that placed the sign there. You need a special box to tell you what it says. Not many people were keen on spending the money to impliment this, since the only people that could read the special codes were police, firefighters, and some guys riding around in black SUVs. For the majority of drivers, nothing changed.
  Separately, these municipalities were threatened with lawsuits by very large companies and the government if they allowed signs to stay up on roads they didn't like, or went to places they didn't like... So they've been busy tearing down signage all over the place to appease these well-monied interests. Sometimes the signs being taken down have the little tags, but most of the time they don't. Drivers that are familiar with the area won't have a problem because they know the address and route already, but younger, and inexperienced drivers might not, and for them, these new laws could keep them from getting to those places.
  
  --
  #fuckbeta #iamslashdot #dicemustdie
2. Re:SOPA and DNSSEC? by shentino · 2012-01-10 11:15 · Score: 1
  
  Actually, what's to stop SOPA from going after verisign and telling them to change the zone info directly?
  DNSSEC only authenticates.
  But it doesn't stop a legal process from changing the authoritative information itself.
3. Re:SOPA and DNSSEC? by Synerg1y · 2012-01-10 11:24 · Score: 1
  
  I like the analogy, it explains both SOPA & DNSSEC, but unless I'm missing something, they are not related in any relevant way, where one actually requires the other. Picture this, I go to the pirate bay, but SOPA blocks me, so I hop on a. a proxy b. a non-usa dns server. I don't need b but some people do. Now... to the point... if tpb is running dnssec and the dns server i'm on doesn't have a valid signature for tpb cert, and doesn't allow non-cert users, i'd be screwed. Except... the web admin of tpb isn't that fuckin stupid. I mean he'd have to live under a rock to not know to disable dnssec on tpb lol. Thus they can only be related in really abstract scenarios.
  Correct me if I'm wrong :) I haven't done heavy reading on this, but signed certs (public/private key model) aren't new except maybe to dns.
4. Re:SOPA and DNSSEC? by jon3k · 2012-01-10 11:49 · Score: 1
  
  SOPA doesn't stop any competent person from getting to anything.
5. Re:SOPA and DNSSEC? by JesseMcDonald · 2012-01-10 12:09 · Score: 4, Insightful
  
  The relationship is the other way around. SOPA is a law which forces ISPs and registrars within its jurisdiction to block certain DNS requests. DNSSEC is a means of signing both individual domain records and chains of domains so that you know that the domain data and/or NXDOMAIN (No Such Domain) response to your request is authentic, provided you can trust the operators of the higher-level domains up to the DNS root, or another anchor point for which you can check the key.
  Assuming that TPB has a domain outside SOPA's jurisdiction, and you either have an anchor for that TLD or trust the root domain, this means that while your ISP can still refuse to give you the address for TPB's domain (with either no response or a server error), it can't supply the wrong address or claim that the domain doesn't exist, since you would immediately know that it's lying.
  The operator of TPB would have to be stupid not to enable DNSSEC, if it's available for that TLD, since it serves to prevent visitors from being silently redirected to some other site. Using DNSSEC doesn't give ISPs an additional way of blocking your site; on the contrary, it makes it much more obvious when they attempt to do so.
  
  --
  "The state is that great fiction by which everyone tries to live at the expense of everyone else." - Bastiat
6. Re:SOPA and DNSSEC? by nullchar · 2012-01-10 12:13 · Score: 1
  
  Exactly, SOPA DNS blocking won't be limited to recursive resolvers at ISPs, it will be implemented at the registry level. VeriSign will get the order and remove the name servers for ThePirateBay.com from the .com zone file.
7. Re:SOPA and DNSSEC? by nullchar · 2012-01-10 12:17 · Score: 1
  
  You're wrong because DNSSEC is backwards compatible. The authoritative servers can sign TPB.org tomorrow, and until people use DNSSEC-enforced DNS resolvers, it won't matter. Your regular old DNS resolver will simply ignore the RRSIG records and the signed hierarchy. Now if you're a Comcast user, you will be able to validate the response: meaning visiting TBP.org won't send you to a bogus site because the A record can't be poisoned.
8. Re:SOPA and DNSSEC? by Anonymous Coward · 2012-01-10 12:27 · Score: 5, Informative
  
  It's not about disabling DNSSEC. DNSSEC allows a resolver (your machine) to verify that the DNS answers it gets (from a cache, an ISP server, or wherever) are authentic records from the DNS hierarchy. Without DNSSEC you just accept whatever you're told on trust. Your ISP, or some script kiddie in Poland, can fuck with the answers and your first clue will be when TPB is just a blank page saying piracy is illegal or call Czeslaw for a good time.
  The point is that DNSSEC will still tell the truth even when the government requires your ISP to lie to you. If you ask "Where is TPB?" under DNSSEC the only possible answers are "Here is the true authentic address for TPB" or "Error, someone is fucking with your DNS resolution". The US government would love the answer to be "Here is a US government web site reminding you that you are the property of Corporate America and subject to its whims" but DNSSEC rules that out. For US registries (like com) the US government can just go tell the registry operator to do what it says or go to jail. But to change the answers to the questions in non-US registries the most obvious option US government has is to put a bunch of men with guns on a helicopter, fly into another country and go break down the doors of the relevant DNS registry and insist they change the authentic records so that DNSSEC checks out OK.
  Now I'm sure in the heads of the average 60-something senator voting for these measures that sounds proportionate. It's terrorists, or something, right? We're fighting a war here - the blood of patriots must flow and so on. But when you explain to a Navy seal that he's to go risk his neck so some fucker in a Hollywood corner office can afford to buy an extra yacht, that's going to stick.
  Nobody is going to give that order. So if you have DNSSEC, the results of SOPA will be that you see errors every time you hit a page the government is censoring. Consider it your daily reminder that the US government works for the guy with the deepest pockets.
9. Re:SOPA and DNSSEC? by Anonymous Coward · 2012-01-10 12:49 · Score: 1
  
  So says a future example of somebody who makes a couple mistakes and gets their IP logged... Or you never do anything but are merely accused of it.
  It moves warnings and civil legal actions to the government so the tax payers have to pay to go after these people for free.
10. Re:SOPA and DNSSEC? by jroysdon · 2012-01-10 15:25 · Score: 1
  
  You can validate all responses with no DNSSEC support in your DNS resolvers. All you need is the root zone key and verify from there down. Example: run your own BIND server with DNSSEC enabled and never use your ISP's.
Comcast supports SOPA by pavon · 2012-01-10 11:02 · Score: 4, Insightful

Given that Comcast has been more proactive about implementing DNSSEC than all the other major ISPs, I was very surprised to learn that they support SOPA, which will make it impossible to for ISPs to implement DNSSEC. I assume that their stance is motivated by the fact that they own half of NBC, and I wonder how their engineering staff plans on handling this situation if the bill is passed.
1. Re:Comcast supports SOPA by Captain+Splendid · 2012-01-10 11:06 · Score: 1
  
  and I wonder how their engineering staff plans on handling this situation if the bill is passed.
  
  Belatedly, and with much gnashing of teeth? I mean, it's not like corporate divisions play well together...
  
  --
  Linux, you magnificent bastard, I read the fucking manual!
2. Re:Comcast supports SOPA by djl4570 · 2012-01-10 11:15 · Score: 3, Informative
  
  Here's a place to start: http://en.wikipedia.org/wiki/SOPA#Negative_impact_on_DNS.2C_DNSSEC_and_Internet_security It's Wikipedia so verify the cites
3. Re:Comcast supports SOPA by shentino · 2012-01-10 11:17 · Score: 4, Interesting
  
  DNSSEC won't prevent SOPA from being enforced.
  The registries holding the authoritative records can still be compelled to change the master data they send.
4. Re:Comcast supports SOPA by djl4570 · 2012-01-10 11:17 · Score: 1
  
  I apologize. I meant to reply to the previous post.
5. Re:Comcast supports SOPA by DigiShaman · 2012-01-10 11:23 · Score: 1
  
  They will be forced to kick the sand castle and stick you -the subscriber- with the bill via increased subscription rates.
  
  --
  Life is not for the lazy.
6. Re:Comcast supports SOPA by Synerg1y · 2012-01-10 11:26 · Score: 1
  
  Of course they do, they wanted to throttle p2p bandwidth back in the day and got shot down. They are very very conscientious of their bandwidth for how big they are.
7. Re:Comcast supports SOPA by Anonymous Coward · 2012-01-10 11:27 · Score: 0
  
  DNSSEC won't prevent SOPA from being enforced.
  The registries holding the authoritative records can still be compelled to change the master data they send.
  Not if they're in .ca, .org, or any of hundreds of other TLDs that aren't controlled by a US-based company.
8. Re:Comcast supports SOPA by rduke15 · 2012-01-10 11:34 · Score: 1
  
  Not if they're in .ca, .org, or any of hundreds of other TLDs that aren't controlled by a US-based company
  Do you mean that it would only affect .com domains? In that case, what's all the fuss about. If it only targets spammers, who cares?
9. Re:Comcast supports SOPA by Tynin · 2012-01-10 11:43 · Score: 1
  
  Thanks!
10. Re:Comcast supports SOPA by Anonymous Coward · 2012-01-10 12:13 · Score: 0
  
  Right hand does not know what the left hand is doing. This will result in some entertainment.
  Be right back, going to get some popcorn and one of those bladder-buster drinks.
11. Re:Comcast supports SOPA by The+End+Of+Days · 2012-01-10 12:59 · Score: 0
  
  Hey, if these people would put half the energy into creating something as they do bitching that they can't get the creations of others for free... well, I don't know, do I? Because they spend all of their energy bitching.
12. Re:Comcast supports SOPA by Anonymous Coward · 2012-01-10 20:57 · Score: 0
  
  I actually I think the right hand knows exactly what the left hand is doing and is intentionally working at cross purposes. The left hand however, is pretty clueless.
13. Re:Comcast supports SOPA by TemporalBeing · 2012-01-11 06:48 · Score: 1
  
  Given that Comcast has been more proactive about implementing DNSSEC than all the other major ISPs, I was very surprised to learn that they support SOPA, which will make it impossible to for ISPs to implement DNSSEC. I assume that their stance is motivated by the fact that they own half of NBC, and I wonder how their engineering staff plans on handling this situation if the bill is passed.
  DNSSEC might make SOPA easier but would require the cert signing party to participate as well to do so...then you just get Microsoft to require valid DNSSEC signatures on all DNS lookups and most of the world will have an issue when the cert is revoked. Of course, the hard core folks will simply move off of Windows as a result...but they probably aren't using Windows already...
  
  --
  Truth is like the sun. You can shut it out for a time, but it ain't goin' away. - Elvis Presley (source: imdb.com)
Just in time! by Anonymous Coward · 2012-01-10 11:18 · Score: 0

Just in time for...that SOPA bill to break it? The same SOPA that Comcast supports?
I'm confused now. Why are they implementing a system that will break once the laws they support get passed?
1. Re:Just in time! by djl4570 · 2012-01-10 11:33 · Score: 1
  
  Maybe this is Comcast Engineers mooning the corporate overlords who support it.
2. Re:Just in time! by TheBrez · 2012-01-10 11:37 · Score: 5, Interesting
  
  Simple. The technical people at Comcast are highly skilled intelligent people. They aren't senior level techs at one of the largest ISPs in the world by being idiots. The legal department on the other hand is staffed by money-sucking weasels (like all legal departments are) who are supporting stupidity in legislation without bothering to talk to their highly skilled technical people about whether this braindead legislation is even technically POSSIBLE to implement. The technical people no doubt KNOW that SOPA is impossible with DNSSEC. Hence they're encouraging everyone to move to DNSSEC as quickly as possible, so in the event that Congress screws up and passes this abortion of a bill at the behest of the large content providers and intellectual property bandits, they'll find out that it doesn't work on large portions of the Internet, thus pissing off their constituents even more, and causing a large shift in political goodwill towards their opponents.
  Has anybody suggested asking the current political candidates their views on SOPA? If you live in the US, and your Congressperson is listed as a Co-sponsor of the bill, or listed as an opponent of the bill, have you contacted them to voice your opinion? Votes are all that matters to politicians. A few hundred calls/emails to their office telling them that this is a flawed bill, and it WILL result in your vote going to their opponent can quickly change their minds on what matters to them.
  http://thomas.loc.gov/cgi-bin/bdquery/z?d112:HR03261:@@@P
  That's the current list of SOPA co-sponsors.
And how can I use it on my BIND server? by rduke15 · 2012-01-10 11:29 · Score: 2

I have a dozen domains on my own server. If I would like to use DNSSEC, is there a good practical how-to guide on what I would have to do to my bind configuration?
And would I need to buy a certificate? Currently I just use my own CA and certificates for encryption of my mail traffic and a few private web pages. I really don't want to give money to some anonymous foreign company so that they can "certify" who I am. After all, I should know who I am better than they would.
1. Re:And how can I use it on my BIND server? by icebraining · 2012-01-10 11:39 · Score: 5, Informative
  
  http://www.imperialviolet.org/2011/06/16/dnssecchrome.html
  
  --
  Dilbert RSS feed
2. Re:And how can I use it on my BIND server? by Above · 2012-01-10 11:47 · Score: 3, Informative
  
  There is no need to buy a certificate. DNSSEC does not use X.509 certificates. You generate your own keys and provide them to your registrar to be published upstream.
  ISC has recently added "auto DNSSEC signing" to BIND, which may be the easiest way for most folks to add DNSSEC. This page has some information:
  http://www.isc.org/community/blog/201006/bind-972-and-and-automatic-dnssec-signing
  Here's a post with more info:
  http://netlinxinc.com/netlinx-blog/45-dns/133-bind-970-part-4-automatic-zone-signing.html
3. Re:And how can I use it on my BIND server? by nullchar · 2012-01-10 12:09 · Score: 5, Informative
  
  You can fairly easily sign your zones using Bind: http://www.bind9.net/manual/bind/9.3.2/Bv9ARM.ch04.html#DNSSEC
  This takes a few steps:
  * Generate keys - a zone-signing key (ZSK) and a key-signing-key (KSK) - usually a pair of keys for each zone
  * Sign your zones - well, the records inside them
  * Now use your zone.signed file as the zonefile that Bind serves up
  Next, once you query your server and everything looks good, you need to ship either the DNSKEY record or DS (digest of the key) to your registrar *. They will ship that to the registry, which signs either your key or digest. Most gTLDs (.com/.org) require only DS records, while ccTLDs (.de/.eu) require DNSKEY records.
  Then, as long as you're using a DNSSEC aware resolver, you can test the hierarchy of the signed zone:
  dig @149.20.64.21 comcast.com any +dnssec
  Look for the "ad" bit set in the Flags section. If you just want to see the keys in this example, simply limit dig to that RR type:
  dig @149.20.64.21 comcast.com dnskey +multiline +dnssec
  DNSKEY 257 is the key-signing-key, which was sent to the registry, while DNSKEY 256 is the zone-signing key. Dig +trace to see the DS records at the .com registry - they host two different digests for the same key tag/id (35356):
  dig comcast.com dnskey +multiline +dnssec +trace
  You'll often notice zones with multiple keys - you must support more than one key at a time to enable key rotation. E.g. You, as an authoritative server operator, may wish to rotate your zone-signing key fairly often, while you may wish to rotate the key-signing-key once per year. Each registry decides the expiration of the key or digest they are storing.
  * = Not all registrars support DNSSEC; once you sign your domain you cannot transfer the domain to a non-DNSSEC enabled registrar. Either you have to un-sign it or transfer it somewhere else.
  There is no certificate authority involved, as the DNS hierarchy contains the signature chain, from the root servers, to each TLD, to each domain. One proposed use of DNSSEC is to publish an SSL certificate public key -- then no Certificate Authorities are required! A browser can use the DNSSEC validated response to match the public key (or more likely, fingerprint) to the web server it is connecting with. You can already use DNS to publish SSH key fingerprints, now you can sign that record for even more trust.
4. Re:And how can I use it on my BIND server? by mcrbids · 2012-01-10 13:17 · Score: 2
  
  One proposed use of DNSSEC is to publish an SSL certificate public key -- then no Certificate Authorities are required!
  I have felt that this is a good idea for a very long, long, long time. The thing on the Internet that tells you where to go to get to a domain name is the DNS server. Thus, the owner of the DNS server really should be the source of the certificate public keys, not some random 3rd party whose true interests lie in selling certificates more cheaply and doing just enough certification that they aren't actually deemed to be insecure.
  It's a race to the bottom. DNSSEC, on the other hand, allows the owners of a domain to determine just how much they take security properly.
  
  --
  I have no problem with your religion until you decide it's reason to deprive others of the truth.
5. Re:And how can I use it on my BIND server? by hardaker · 2012-01-10 14:45 · Score: 3, Informative
  
  Signing you own zone is trivial and you don't need to pay anyone. I even created a simple, short video on the subject using the DNSSEC-Tools components: http://www.youtube.com/watch?v=7ksgTFxAg6U
  Though I'm associated with the above project, I actually don't care what tool set you use: just sign your zone!
  
  --
  The next site to slashdot will be ready soon, but subscribers can beat the rush and start slashdotting it early!
6. Re:And how can I use it on my BIND server? by dlgeek · 2012-01-10 17:52 · Score: 0
  
  There is no certificate authority involved, as the DNS hierarchy contains the signature chain, from the root servers, to each TLD, to each domain. One proposed use of DNSSEC is to publish an SSL certificate public key -- then no Certificate Authorities are required! A browser can use the DNSSEC validated response to match the public key (or more likely, fingerprint) to the web server it is connecting with. You can already use DNS to publish SSH key fingerprints, now you can sign that record for even more trust.
  Ostensibly, CAs validate more than ownership of a domain - they're supposed to tie a legal entity to the website, in order to prevent bankofarmerica.com from MITMing your connection to your bank. You should theoretically check that the entity is the one you expect - headquarter in such and such state, etc. Realistically, no one did, and so now we have EV certs to try to make that more visible. Where we go from here is another question....
  
  TL;DR: CAs are supposed to speak to more than just domain ownership.
7. Re:And how can I use it on my BIND server? by rduke15 · 2012-01-11 03:31 · Score: 1
  
  Thank you. But I'm afraid I don't have the patience to watch a 12 minute video. What is this new trend of making videos for stuff which would be so much more useful in a written document? Doesn't this project have a web page which I can skim through to get an idea, read in detail if interested, and from which I can copy/paste relevant commands when needed?
  I must be too old...
8. Re:And how can I use it on my BIND server? by hardaker · 2012-01-11 03:51 · Score: 2
  
  No, I agree with you. But it is the new trend because some people definitely prefer to see it over time rather than over a page. Color me confused as well.
  But we have a text version as well, so never fear: https://www.dnssec-tools.org/wiki/index.php/Sign_Your_Zone
  
  --
  The next site to slashdot will be ready soon, but subscribers can beat the rush and start slashdotting it early!
9. Re:And how can I use it on my BIND server? by tepples · 2012-01-11 04:09 · Score: 1
  
  But we have a text version as well
  In the description of your video on YouTube, you can give the URL of the transcript. That way people who prefer video can watch the video, and people who prefer to read the transcript can click away and do so.
10. Re:And how can I use it on my BIND server? by hardaker · 2012-01-11 04:23 · Score: 1
  
  True, though it's not a transcript: it's a very different set of text. I don't think transcripts are useful because they're designed around a video. The web page, on the other hand, is a tutorial that is independent of the video.
  Side note: the video describes other tools as well, not just zonesigner. The web page only has zonesigner on it (though you could go find the similar pages for donuts, lsdnssec, etc, that the video shows)
  
  --
  The next site to slashdot will be ready soon, but subscribers can beat the rush and start slashdotting it early!
11. Re:And how can I use it on my BIND server? by leighklotz · 2012-01-11 07:10 · Score: 1
  
  The text version doesn't answer this question: before I sign the zones the first time, shouldn't I update the serial number in the SOA record from the current published one? That is, is the sequence 1. edit zone file to update serial 2. sign zone 3. publish new zone.signed instead of old zone file?
12. Re:And how can I use it on my BIND server? by hardaker · 2012-01-11 07:56 · Score: 1
  
  yes, you should because you're still modifying the data (it's just the DNSSEC data that's getting modified in this case, even if your normal "usage" data isn't).
  
  --
  The next site to slashdot will be ready soon, but subscribers can beat the rush and start slashdotting it early!
Nope by pavon · 2012-01-10 11:39 · Score: 3, Informative

In the case of registries outside of US jurisdiction, SOPA requires all ISPs within the US to filter domain name requests for allegedly infringing sites, when ordered by the US Attorney General.
1. Re:Nope by Anonymous Coward · 2012-01-10 12:01 · Score: 1
  
  Yup, but DNSSEC means this will cause an error. You can't "just" censor the requests. DNSSEC can tell the difference between the legit answer and any fake answer or non-answer.
  ie if you're an ISP the Attorney General is asking you to eat an enormous customer support bill in order that some other company can get richer.
2. Re:Nope by failedlogic · 2012-01-10 13:09 · Score: 1
  
  Pfft. defeating SOPA is easy.
  1. Become the US Attorney General.
  2. Run your own root DNS server
  ???
  4. Profit!!
  Now, that wasn't too hard.
3. Re:Nope by azalin · 2012-01-10 22:09 · Score: 1
  
  You could just replace 2. with receive "campaign funding from interested parties" and skip directly to the profit part.
4. Re:Nope by Ash-Fox · 2012-01-11 05:50 · Score: 1
  
  Yup, but DNSSEC means this will cause an error. You can't "just" censor the requests. DNSSEC can tell the difference between the legit answer and any fake answer or non-answer.
  You could just simply not send a DNS response at all.
  Browsers would just show an error like this:
  
  Server not found
  Firefox can't find the server at www.awawdmawda.adwada.
  Check the address for typing errors such as
  ww.example.com instead of
  www.example.com
  If you are unable to load any pages, check your computer's network
  connection.
  If your computer or network is protected by a firewall or proxy, make sure
  that Firefox is permitted to access the Web.
  DNSSEC won't know any better, there is nothing in the DNSSEC protocol for even handling a lack of response.
  
  if you're an ISP the Attorney General is asking you to eat an enormous customer support bill in order that some other company can get richer.
  I don't think so. Person has DNS failure on well known piracy site = Huge support costs. What?
  
  --
  Change is certain; progress is not obligatory.
Laconic answer by Tenebrousedge · 2012-01-10 12:03 · Score: 2

"If"

--
Those who advocate genocide deserve every protection afforded by law, and none afforded by common human decency.
comcast also has a lot clueless mangers / PHB by Joe_Dragon · 2012-01-10 12:04 · Score: 1

With the size of comacst and how it's tech is setup people in one area do not know what the other is doing.
Being build on lot's systems that became comcast by buying up other systems does not help them stay on the same page.
Some times the call center has a had time to tell the techs / installs basic stuff like need a cable card for the job.
What I see happening... by Anonymous Coward · 2012-01-10 12:52 · Score: 1

I think for those that mentioned that it would be illegal or ISP would block you from using a non approved DNS could be realistic. The FCC/US government has done something similar in the recent past. The 860Mhz alalog cellular region comes to mind. Cellular companies were using unencrypted clear unaltered audio over this frequency range. People with police scanners or a a tv with an analog UHF tuner could pick up all phone conversations in the clear. The phone companies fucked up and asked the government to step in and help so they could ease public concern and still sell phones without using readily available technology to encode the audio. The FCC did step in, they made it illegal for someone to listen in, then they banned the sale of scanners that could tune to this region, then they banned the "easy" bypassing of the ban and the act of reprogramming the scanner to get these signals. They even tried other measures for those that had scanner that could recieve images of those frequencies. It was a cat and mouse game. All to prop up the phone companies profits and to prevent them from paying for their shortsightedness. I'm sure the IP lobbyists are a much greater force now and could get something like banning "rogue" DNS servers passed into a law.
OpenDNS DNSCrypt by Anonymous Coward · 2012-01-10 13:36 · Score: 1

If you're so gung ho about OpenDNS you might like their DNSCrypt. It basically tunnels DNS through an encrypted tunnel direct to OpenDNS. It's not DNSSEC. But if you trust OpenDNS to not be evil or pwned it might be better since it would immediately apply to all sites, not just the few that currently implement DNSSEC.
I like this approach by Trax3001BBS · 2012-01-10 14:39 · Score: 1

I've just recently seen email coming to me with a "DKIM-Signature"
"DomainKeys Identified Mail (DKIM) lets an organization take responsibility for a message that is in transit."
http://www.dkim.org/
While the e-mail came from across the pond, these go through Yahoo and seems to be a part of their system.
I haven't researched it any further than that.
I like these approaches though, it avoids using the Trusted Platform Module (TPM).
http://en.wikipedia.org/wiki/Trusted_Platform_Module
They go from bankruptcy, to monopoly by Anonymous Coward · 2012-01-10 21:12 · Score: 0

They own all ALL of the cable companies in Pennsylvania, they have most if not all counties, townships bal bla, ect.. paid off by giving the township employees free phones and cable, you cannot even get any other competitor to come in to offer lower priced service.. I been bitchin about this to local politicians they just stroke themselves off and could care less (really not surprising thats about all they do).. FTC goes protects Apple, and MS, and Comcast.. This is silly... We have a reverse of communism, companies that dictate everyone..
Except comcast.net is not signed by Anonymous Coward · 2012-01-11 03:39 · Score: 0

I like Comcast's DNSSEC resolvers and movement to incorporate it on their regular name servers, and to promote DNSSEC. However, they apparently could not convince comcast.net to go along, while the blog site is in fact signed. Let's see if they fix it.
http://dnsviz.net/d/comcast.net/dnssec/
Plead the 14th by tepples · 2012-01-11 03:57 · Score: 1

They're making legislation now to just have an ex-parte hearing and declare your citizenship void because you are "hostile" to the United States.
That would take two-thirds of both houses and three-fourths of the states because as I understand it, the Fourteenth Amendment locks in the citizenship of anyone born here.
1. Re:Plead the 14th by Anonymous Coward · 2012-01-11 04:42 · Score: 0
  
  Quarter. The word is "quarter". There is no such fraction as a "fourth".
  And while you're at it, "once" and "twice" are "once" and "twice", not "one time" and "two times". Fucking Yanks, stop retarding up my language just because you're all thick as pigshit.
2. Re:Plead the 14th by tepples · 2012-01-11 04:53 · Score: 1
  
  There is no such fraction as a "fourth".
  Article V of the Constitution disagrees with you: "...ratified by the Legislatures of three fourths of the several States, or by Conventions in three fourths thereof..."
3. Re:Plead the 14th by Anonymous Coward · 2012-01-11 05:20 · Score: 0
  
  Quarter. The word is "quarter". There is no such fraction as a "fourth".
  And while you're at it, "once" and "twice" are "once" and "twice", not "one time" and "two times". Fucking Yanks, stop retarding up my language just because you're all thick as pigshit.
  There is in America, where we speak American. So take that, ya damn wanker.
4. Re:Plead the 14th by rubycodez · 2012-01-11 05:38 · Score: 1
  
  they already can imprison you indefinitely or assassinate you or sexually molest you or your children "for cause", anything else being discussed is just icing on the cake for our police state
Comodo is already fighting this by tepples · 2012-01-11 04:03 · Score: 1

I have felt that this is a good idea for a very long, long, long time. The thing on the Internet that tells you where to go to get to a domain name is the DNS server. Thus, the owner of the DNS server really should be the source of the certificate public keys, not some random 3rd party whose true interests lie in selling certificates more cheaply and doing just enough certification that they aren't actually deemed to be insecure.
Which means random third parties will try other methods to sell certificates. A CA might, say, fork Chrome and have it give a warning page for any certificate that isn't EV. Comodo Dragon already does this: "The security (or SSL) certificate for this website indicates that the organization operating it may not have undergone trusted third-party validation that it is a legitimate business."
ccTLDs out of USA jurisdiction by tepples · 2012-01-11 04:18 · Score: 1

Actually, what's to stop SOPA from going after verisign and telling them to change the zone info directly?
The fact that the U.S. Government lacks jurisdiction to do that to offshore registries not controlled by VeriSign or any other U.S. entity, such as the many country code TLDs used in cute domain hacks.
Comcast saturates Tata by tepples · 2012-01-11 04:25 · Score: 1

That's because Comcast likes to cheap out and not buy enough upstream, allowing its connection to Tata to saturate for much of the day.
Four tickets to Golden Corral by tepples · 2012-01-11 06:47 · Score: 1

I'm saying that when you share an internet connection you naturally use more.
Allow me to make an analogy: Four tickets to an all-you-can-eat buffet cost more than one.
Comcraptic signing it's doms and customers: NOT! by lpq · 2012-01-11 08:16 · Score: 1

being an unfortunate slob who lives in an area serviced by Comcast's fantastic stated speed of 16M/2M (they won't upgrade this area as it they don't consider it "financially attractive enough" tied to it being an area that is about 25% poorer than surrounding counties (and having notably poorer health care, as the feds reimburse the area about 25% less for Medicare),
I'm tied to comcast (DSL would give me 3M/768). I can say they have not even contacted some of their customers about signing their hosted domains. ;-./
Comcast Business Class by tepples · 2012-01-11 16:18 · Score: 1

unless Comcast has a way of increasing the cap by spending more money
Yes, and it's called Comcast Business Class. I've been told that you have to talk to a different division of the company to get it set up, so it might be confusing at first.