Slashdot Mirror
Comcast DNSSEC Goes Live
An anonymous reader writes "In a blog post, Comcast's Jason Livingood has announced that Comcast has signed all of its (5000+) domains in addition to having all of its customers using DNSSEC-validating resolvers. He adds, 'Now that nearly 20 million households in the U.S. are able to use DNSSEC, we feel it is an important time to urge major domain owners, especially commerce and banking-related sites, to begin signing their domain names.'"
There won't be much point to this if SOPA / PIPA passes, requires DNS redirects, and bans circumvention.
Yes, and for our next trick, we're going to disable end-users' ability to do their own DNS lookups to only our servers -or- selectively deny DNS lookups that have a destination outside the United States. You know... to stop people from getting around SOPA and other anti-piracy measures. YAY DNSSEC! /sarcasm.
#fuckbeta #iamslashdot #dicemustdie
Are you really getting anywhere near 250 GB of use per month? I know use tends to grow over time, but we use ours constantly and haven't hit over 80 GB or so in a month. And how much additional usage do you really think DNSSEC will generate for an end-user?
I guess I'm not sure how SOPA and DNSSEC overlap, could someone explain it in a couple of sentences? Does DNSSEC hinder or help? I would assume hinder SOPA... I'm going to research more, but was hoping to get a quick brief from someone knowledged...
Given that Comcast has been more proactive about implementing DNSSEC than all the other major ISPs, I was very surprised to learn that they support SOPA, which will make it impossible to for ISPs to implement DNSSEC. I assume that their stance is motivated by the fact that they own half of NBC, and I wonder how their engineering staff plans on handling this situation if the bill is passed.
I know I'm a heavy user, but 700+GB a month is not unusual for me and many months I've exceeded 1TB. 250GB is a good cap for an entry-level plan, but it's hilariously low when DOCSIS 3 speeds are in play.
I used to get high on life, but I developed a tolerance. Now I need something stronger.
I know I'm a heavy user, but 700+GB a month is not unusual for me and many months I've exceeded 1TB. 250GB is a good cap for an entry-level plan, but it's hilariously low when DOCSIS 3 speeds are in play.
What do you download that exceeds 700+GB? That's 25GB/day, which seems like an awful lot of data.
My household watches several hours of Netflix a day (we have no cable TV and watch Netflix streaming TV shows & movies), and as far as I know, we've never hit our Comcast cap.
Probably high definition Japanese porn, which is ironic since it's blurred out anyway.
-Xoltri
Ever hear of High definition porn? Silly I know but porn sites are typically the leaders, when it comes to streaming content quality. You can practically count the ingrown hairs, from a pornstars Brazilian wax.
I have a dozen domains on my own server. If I would like to use DNSSEC, is there a good practical how-to guide on what I would have to do to my bind configuration?
And would I need to buy a certificate? Currently I just use my own CA and certificates for encryption of my mail traffic and a few private web pages. I really don't want to give money to some anonymous foreign company so that they can "certify" who I am. After all, I should know who I am better than they would.
if you bought any ridiculously cheap games from Valve's Steam service over the holidays you could hit that without even spending $20.
Maybe this is Comcast Engineers mooning the corporate overlords who support it.
That's always helpful. Accuse those that use more bandwidth than you of pirating because there is no conceivably legitamite way someone could use that in a month. That's always helpful.
Only if the browser tells you, and I think they don't, at least for now. There's an addon for Firefox, though.
Dilbert RSS feed
Ever hear of High definition porn? Silly I know but porn sites are typically the leaders, when it comes to streaming content quality. You can practically count the ingrown hairs, from a pornstars Brazilian wax.
Hey, I grew up in the day of ASCII porn that was printed out on 132 column green-bar paper - I'd probably be appalled at what I could see in High Def video porn. And based on your comment, it does sound appalling.
Has anybody suggested asking the current political candidates their views on SOPA? If you live in the US, and your Congressperson is listed as a Co-sponsor of the bill, or listed as an opponent of the bill, have you contacted them to voice your opinion? Votes are all that matters to politicians. A few hundred calls/emails to their office telling them that this is a flawed bill, and it WILL result in your vote going to their opponent can quickly change their minds on what matters to them.
http://thomas.loc.gov/cgi-bin/bdquery/z?d112:HR03261:@@@P
That's the current list of SOPA co-sponsors.
In the case of registries outside of US jurisdiction, SOPA requires all ISPs within the US to filter domain name requests for allegedly infringing sites, when ordered by the US Attorney General.
Nice, one can get to their absurd caps that much faster. Get rid of the caps and perhaps there might be something worth talking about.
DNSSEC is fine by itself, but it is only a distraction as implemented by Comcast.
Troll rating: 8/10. It was a good, subtle effort. You get people off topic, since data caps are highly contentious and Comcast is unpopular so that will gather several responses, and extra points for getting the first post so that no one with an on-topic post can precede you. In addition to that, you picked a topic that might otherwise have led somewhere productive, because of the tie in between DNSSEC and SOPA (which is an important, relevant, and time-sensitive topic at this point). You may wish to apply for remuneration with pro-SOPA entities if you have not done so already, as they are known to pay compensation for such efforts.
250GB / month is a constant speed of a little under 100KB/sec. I use more bandwidth than that just running a VPN to a few computers in the office. While I may be far from the average user, I'm sure there's a Comcast user out there with a legitimate reason to use over 250GB / month.
"If"
Those who advocate genocide deserve every protection afforded by law, and none afforded by common human decency.
With the size of comacst and how it's tech is setup people in one area do not know what the other is doing.
Being build on lot's systems that became comcast by buying up other systems does not help them stay on the same page.
Some times the call center has a had time to tell the techs / installs basic stuff like need a cable card for the job.
he cant dream? well then again, with some games...250GB game may turn out to be the dumbest, longest game ever...EA presents 'a waste of space'.
You apparently do not understand the purpose of the internet. Data caps are purely a profit mechanism. The fundamental purpose of the internet is to send data cheaply to any any other point on the network. Implementing arbitrary data caps cripples its ability to do that.
Except that caps are typically up and down. Personally, I've used nearly 300gb in a single month just on crashplan.
Not quite, data caps are there so that ISPs don't have to have the bandwidth that they promise in their ads. There's something really wrong when a company can advertise something and then modify it to be something completely different via fine print that might not even be legible in the ad.
I think for those that mentioned that it would be illegal or ISP would block you from using a non approved DNS could be realistic. The FCC/US government has done something similar in the recent past. The 860Mhz alalog cellular region comes to mind. Cellular companies were using unencrypted clear unaltered audio over this frequency range. People with police scanners or a a tv with an analog UHF tuner could pick up all phone conversations in the clear. The phone companies fucked up and asked the government to step in and help so they could ease public concern and still sell phones without using readily available technology to encode the audio. The FCC did step in, they made it illegal for someone to listen in, then they banned the sale of scanners that could tune to this region, then they banned the "easy" bypassing of the ban and the act of reprogramming the scanner to get these signals. They even tried other measures for those that had scanner that could recieve images of those frequencies. It was a cat and mouse game. All to prop up the phone companies profits and to prevent them from paying for their shortsightedness. I'm sure the IP lobbyists are a much greater force now and could get something like banning "rogue" DNS servers passed into a law.
2.2 GB per hour (assuming HD + 5.1 audio) x 4 hours per day x 30 days per cycle = 264 GB for neflix alone.
Is there really a tie in mechanism with DNSSEC?
Not to sound cynical, but DNS poisoning is a very real problem that I am surprised hackers have not succeeded in doing yet. For the record I hate Comcast and I am in no way defending htem. When I used to play WOW the users who always lagged or were DCed were comcast customers. Reliability is a joke. ... back to the topic DNSSEC is just encrypted DNS lookups to prevent man in the middle attacks and is used in many institutions such as banks and militaries. Hairfeet who is a top poster on /, uses Commodo Dragon as his browser simply because it uses DNSSEC to its own secure DNS servers that filter out malware domains.
I use OpenDNS as it is simple and easy to use on my computer and filters bad domains. However, it is still vulnerable to man in the middle attacks because it is not encrypted. I would prefer DNSSEC if I could actually do it.
http://saveie6.com/
No no, its great.
It's an exaggeration, but there were massive sales that meant you could fairly easily hit 250GB if you bought a few of the games that were discounted 50%+
If you're so gung ho about OpenDNS you might like their DNSCrypt. It basically tunnels DNS through an encrypted tunnel direct to OpenDNS. It's not DNSSEC. But if you trust OpenDNS to not be evil or pwned it might be better since it would immediately apply to all sites, not just the few that currently implement DNSSEC.
No, the fundamental purpose of the internet is to distribute information to any point of the world, and outside of where the bomb dropped, the system work in the event of a nuclear war. In its outset, cheap was no part of the equation, its just so commoditized and ubiquitous now that there is an expectation.
Is there really a tie in mechanism with DNSSEC?
It is widely understood that SOPA will break DNSSEC, because it requires intermediaries to modify DNS responses, which looks to DNSSEC like a man in the middle attack (because it is one).
I know my (generally restrictive, but big in Canada) 120gb cap forced me to stop buying games on Steam as I'm nearly through the cap and I still have a week to go. LA Noire just wouldn't have fit in what I had left.
I used over 12.5GB in a few hours just watching some of TotalHalibut's "WTF is...[Game]" videos on YouTube. I'm sure 250 GB in a month would be a cinch.
I've just recently seen email coming to me with a "DKIM-Signature"
"DomainKeys Identified Mail (DKIM) lets an organization take responsibility for a message that is in transit."
http://www.dkim.org/
While the e-mail came from across the pond, these go through Yahoo and seems to be a part of their system.
I haven't researched it any further than that.
I like these approaches though, it avoids using the Trusted Platform Module (TPM).
http://en.wikipedia.org/wiki/Trusted_Platform_Module
How well does that work with servers behind round-robin DNS? Or isn't that possible with DNSSEC?
Also funny that it says www.comcast.com is *not* secured by DNSSEC, contrary to TFA.
That doesn't seem like it breaks DNSSEC so much as DNSSEC exposes such attacks for what they are.
Disclaimer: IANAL. This post is, however, legal advice, and creates an attorney-client relationship.
Meh, 250GB is still a lot for a month.
Consider that a decent self-ripped DVD is only around 2GB, and a good blueray around 8GB. That's around 2 hours of high definition video streaming per day, for a month, with a 250GB allocation.
These days, games are the big consumers of bandwidth, I'd imagine. Spend $30 on cheap games on Steam and you can eat through that 250GB pretty quickly.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
Just wanted to say, the prudent thing to do here is to buy the games anyway. You can pause the download and it sits in your Steam library as a game you own and you can download it after the next month comes around and your cap is reset.
Random Thoughts From A Diseased Mind (Not For Dummies)
exposes such attacks for what they are.
It certainly does that, but it still breaks DNSSEC because it makes users expect DNSSEC failures under normal operation, which enables fraud because users will subsequently ignore future warnings. It further prevents client software developers from implementing countermeasures that would thwart a man in the middle attack since doing so would succeed just as well in bypassing the DNS blocking.
For example, client software might be designed so that if a DNSSEC failure occurs, the client first tries all configured DNS servers to try to get a valid response. If any of the servers is outside the country, the blocking fails. If not, the client software might then try to act as its own recursive DNS server. (Clients are normally not supposed to do this because it would put extra load on the authoritative DNS servers, but clients are normally not supposed to encounter DNSSEC failures, and doing it only in that rare circumstance would almost certainly not cause serious performance issues.) If the authoritative DNS server is outside the country (which it would be for a 'rogue site') then the blocking fails.
So either the law prohibits client software from being designed that way and the security benefits of DNSSEC are destroyed, or client software is designed to thwart a man in the middle attack and the law is a dead letter because the operators of intermediary DNS servers cannot prevent end users from receiving a true DNS response since an attempt to do so will only cause the client's DNSSEC implementation to detect and bypass the intermediary DNS server.
From what I've read, SOPA would indeed outlaw programs that circumvent its domain theft. It seems like SOPA is going to do nothing but destroy.
The best possible outcome to hope for is for the rest of the world to develop and use DNSSEC and other technologies, and leave the US behind its great firewall. I'd say that I'm glad that I live in Canada, but our ruling Conservatives are pure evil and do whatever the US Government tells them to (and I say this as a semi-conservative myself), so eventually Canada will be just as bad off.
Know of any countries where the politicians aren't bought by special interests and where the country values freedom? Maybe Switzerland. I wonder if they take in immigrants.
Disclaimer: IANAL. This post is, however, legal advice, and creates an attorney-client relationship.
I'm upset because they're engaging in fraudulent advertising and most people aren't smart enough to realize it. I just want what they promised when I was looking for an ISP, no more no less. If they can't provide what it is that they're advertising then they sure as hell shouldn't be advertising it.
And as for your quip about price, my ISP offers much faster connections for about what I'm paying in other parts of the country, I don't think bitching about the price is really unreasonable.
Then again, you're either a troll or a Republican, in either case I doubt you have the brain cells to comprehend the situation.
why spend the money now and not have the game...just wait til you plan on downloading it
have you seen my sig? there are many others like it but none that are the same
Seriously what are you downloading with 700+ GB a month? I do a lot of gaming, streaming, downloading, etc and I don't close to the cap.
Some of us aren't perma-bachelors living in a basement paying for our own personal internet connection.
We have 2 adults and 2 teens living in this house, and I doubt our 300 GB cap will be sufficient for long.
Does it make you happy you're so strange?
We have 2 adults and 2 teens living in this house, and I doubt our 300 GB cap will be sufficient for long.
Then have each adult pay for one teen rather than having one adult pay for the other adult and both teens.
How can one DO SOMETHING when all five major television news outlets (ABC, CBS, CNN, Fox, and NBC) are owned by parent companies of motion picture studios with enough money to DO MORE about unDOing your SOMETHING?
They're making legislation now to just have an ex-parte hearing and declare your citizenship void because you are "hostile" to the United States.
That would take two-thirds of both houses and three-fourths of the states because as I understand it, the Fourteenth Amendment locks in the citizenship of anyone born here.
I have felt that this is a good idea for a very long, long, long time. The thing on the Internet that tells you where to go to get to a domain name is the DNS server. Thus, the owner of the DNS server really should be the source of the certificate public keys, not some random 3rd party whose true interests lie in selling certificates more cheaply and doing just enough certification that they aren't actually deemed to be insecure.
Which means random third parties will try other methods to sell certificates. A CA might, say, fork Chrome and have it give a warning page for any certificate that isn't EV. Comodo Dragon already does this: "The security (or SSL) certificate for this website indicates that the organization operating it may not have undergone trusted third-party validation that it is a legitimate business."
[hairyfeet] who is a top poster on /, uses [Comodo] Dragon as his browser simply because it uses DNSSEC to its own secure DNS servers that filter out malware domains.
Comodo Dragon also uses an end-run around the oft-repeated suggestion to use DNSSEC to replace CAs: any cert that isn't EV gets a warning page.
Actually, what's to stop SOPA from going after verisign and telling them to change the zone info directly?
The fact that the U.S. Government lacks jurisdiction to do that to offshore registries not controlled by VeriSign or any other U.S. entity, such as the many country code TLDs used in cute domain hacks.
That's because Comcast likes to cheap out and not buy enough upstream, allowing its connection to Tata to saturate for much of the day.
Streaming HD netflix, Blockbuster, and Amazon videos on 3 computers at the same time can easily hit that, all 100% legal, and for roughly $30 average per month. That also does not take into account legal file trading (torrenting Linux OS distros), online gaming, with constant game updates and map downloads, or any other number of legal, and bandwidth intensive, applications.
you are so funny. the fundamental purpose of the internet is to make money for its providers. Comcat, AT&T, Verizon, they don't make communications solutions or connectivity solutions, they make money. period. end of story.
no, tell the teens to get a fucking job and pay for their internet and cell use. this will help them later in life. I started working at age ten with lawn cutting, show shoveling, car washing, etc. to fund my electronics hobby. Even the "allowance" my parents gave me was for check list of weekly jobs.
I started working at age ten with lawn cutting, show shoveling, car washing, etc. to fund my electronics hobby.
Once one of my cousins considered doing this, but it turned out that "we already have someone else doing this; thanks anyway." In such a situation, how do you recommend that a child in middle school or high school perform such work? Could you recommend a safe way for a child to commute to another neighborhood in order to perform those jobs there? I'm probably missing something fundamental; what is it?
Sounds like some BS to me. If we take the 80GB as the average monthly usage that leaves 170GB worth of new games you just bought on steam with a 250GB cap. 6GB is on the higher end for most game though there are a few take come in around 10GB. Most of the 10+GB games are probably $50 in normal pricing on Steam and chances are most of those weren't much lower than 33% off with 50% off being the cap. I'd say it's probably a pretty safe assumption that you likely spent well over $500, if not $750, on games you downloaded just to hit 170GB of games.
"Lack of speed can be overcome. In the worst case by patience." --Znork
My point flew over your head.
I'm saying that when you share an internet connection you naturally use more. Something barely understood by all the folks here who apparently live alone.
Does it make you happy you're so strange?
I'm saying that when you share an internet connection you naturally use more.
Allow me to make an analogy: Four tickets to an all-you-can-eat buffet cost more than one.
being an unfortunate slob who lives in an area serviced by Comcast's fantastic stated speed of 16M/2M (they won't upgrade this area as it they don't consider it "financially attractive enough" tied to it being an area that is about 25% poorer than surrounding counties (and having notably poorer health care, as the feds reimburse the area about 25% less for Medicare),
I'm tied to comcast (DSL would give me 3M/768). I can say they have not even contacted some of their customers about signing their hosted domains. ;-./
Not seeing how this helps, unless Comcast has a way of increasing the cap by spending more money that I haven't found?
No cable as well, so mostly Netflix, Hulu Plus, and usenet. Add in both my roommate and I having about a game a month Steam habit as well as random arcade games and DLC on our 360s and that accounts for the majority of it.
We also work from home, so at least one of us is likely to be streaming either audio or video at pretty much any time between 9am and 1 am.
I used to get high on life, but I developed a tolerance. Now I need something stronger.
why spend the money now and not have the game...just wait til you plan on downloading it
So you can get the sale prices.
Random Thoughts From A Diseased Mind (Not For Dummies)
unless Comcast has a way of increasing the cap by spending more money
Yes, and it's called Comcast Business Class. I've been told that you have to talk to a different division of the company to get it set up, so it might be confusing at first.