Slashdot Mirror
Comcast DNSSEC Goes Live
An anonymous reader writes "In a blog post, Comcast's Jason Livingood has announced that Comcast has signed all of its (5000+) domains in addition to having all of its customers using DNSSEC-validating resolvers. He adds, 'Now that nearly 20 million households in the U.S. are able to use DNSSEC, we feel it is an important time to urge major domain owners, especially commerce and banking-related sites, to begin signing their domain names.'"
There won't be much point to this if SOPA / PIPA passes, requires DNS redirects, and bans circumvention.
Yes, and for our next trick, we're going to disable end-users' ability to do their own DNS lookups to only our servers -or- selectively deny DNS lookups that have a destination outside the United States. You know... to stop people from getting around SOPA and other anti-piracy measures. YAY DNSSEC! /sarcasm.
#fuckbeta #iamslashdot #dicemustdie
Are you really getting anywhere near 250 GB of use per month? I know use tends to grow over time, but we use ours constantly and haven't hit over 80 GB or so in a month. And how much additional usage do you really think DNSSEC will generate for an end-user?
Given that Comcast has been more proactive about implementing DNSSEC than all the other major ISPs, I was very surprised to learn that they support SOPA, which will make it impossible to for ISPs to implement DNSSEC. I assume that their stance is motivated by the fact that they own half of NBC, and I wonder how their engineering staff plans on handling this situation if the bill is passed.
I know I'm a heavy user, but 700+GB a month is not unusual for me and many months I've exceeded 1TB. 250GB is a good cap for an entry-level plan, but it's hilariously low when DOCSIS 3 speeds are in play.
I used to get high on life, but I developed a tolerance. Now I need something stronger.
I guess I'm not sure how SOPA and DNSSEC overlap, could someone explain it in a couple of sentences? Does DNSSEC hinder or help? I would assume hinder SOPA... I'm going to research more, but was hoping to get a quick brief from someone knowledged...
Well, let's try a car analogy. Before DNSSEC, anyone could put up a road sign, and you'd have no way of knowing whether it would send you the right way or not. There were a few publicized cases of cars going down the wrong road, a few pileups, but most people got to/from work everyday.
However, some very smart people were worried some other smart people could swap the road signs. So they added smaller digital tags on the back of the signs that had a special number encoded in it and the name of the municipality that placed the sign there. You need a special box to tell you what it says. Not many people were keen on spending the money to impliment this, since the only people that could read the special codes were police, firefighters, and some guys riding around in black SUVs. For the majority of drivers, nothing changed.
Separately, these municipalities were threatened with lawsuits by very large companies and the government if they allowed signs to stay up on roads they didn't like, or went to places they didn't like... So they've been busy tearing down signage all over the place to appease these well-monied interests. Sometimes the signs being taken down have the little tags, but most of the time they don't. Drivers that are familiar with the area won't have a problem because they know the address and route already, but younger, and inexperienced drivers might not, and for them, these new laws could keep them from getting to those places.
#fuckbeta #iamslashdot #dicemustdie
I know I'm a heavy user, but 700+GB a month is not unusual for me and many months I've exceeded 1TB. 250GB is a good cap for an entry-level plan, but it's hilariously low when DOCSIS 3 speeds are in play.
What do you download that exceeds 700+GB? That's 25GB/day, which seems like an awful lot of data.
My household watches several hours of Netflix a day (we have no cable TV and watch Netflix streaming TV shows & movies), and as far as I know, we've never hit our Comcast cap.
Probably high definition Japanese porn, which is ironic since it's blurred out anyway.
-Xoltri
Ever hear of High definition porn? Silly I know but porn sites are typically the leaders, when it comes to streaming content quality. You can practically count the ingrown hairs, from a pornstars Brazilian wax.
I have a dozen domains on my own server. If I would like to use DNSSEC, is there a good practical how-to guide on what I would have to do to my bind configuration?
And would I need to buy a certificate? Currently I just use my own CA and certificates for encryption of my mail traffic and a few private web pages. I really don't want to give money to some anonymous foreign company so that they can "certify" who I am. After all, I should know who I am better than they would.
if you bought any ridiculously cheap games from Valve's Steam service over the holidays you could hit that without even spending $20.
Ever hear of High definition porn? Silly I know but porn sites are typically the leaders, when it comes to streaming content quality. You can practically count the ingrown hairs, from a pornstars Brazilian wax.
Hey, I grew up in the day of ASCII porn that was printed out on 132 column green-bar paper - I'd probably be appalled at what I could see in High Def video porn. And based on your comment, it does sound appalling.
Has anybody suggested asking the current political candidates their views on SOPA? If you live in the US, and your Congressperson is listed as a Co-sponsor of the bill, or listed as an opponent of the bill, have you contacted them to voice your opinion? Votes are all that matters to politicians. A few hundred calls/emails to their office telling them that this is a flawed bill, and it WILL result in your vote going to their opponent can quickly change their minds on what matters to them.
http://thomas.loc.gov/cgi-bin/bdquery/z?d112:HR03261:@@@P
That's the current list of SOPA co-sponsors.
In the case of registries outside of US jurisdiction, SOPA requires all ISPs within the US to filter domain name requests for allegedly infringing sites, when ordered by the US Attorney General.
Nice, one can get to their absurd caps that much faster. Get rid of the caps and perhaps there might be something worth talking about.
DNSSEC is fine by itself, but it is only a distraction as implemented by Comcast.
Troll rating: 8/10. It was a good, subtle effort. You get people off topic, since data caps are highly contentious and Comcast is unpopular so that will gather several responses, and extra points for getting the first post so that no one with an on-topic post can precede you. In addition to that, you picked a topic that might otherwise have led somewhere productive, because of the tie in between DNSSEC and SOPA (which is an important, relevant, and time-sensitive topic at this point). You may wish to apply for remuneration with pro-SOPA entities if you have not done so already, as they are known to pay compensation for such efforts.
"If"
Those who advocate genocide deserve every protection afforded by law, and none afforded by common human decency.
The relationship is the other way around. SOPA is a law which forces ISPs and registrars within its jurisdiction to block certain DNS requests. DNSSEC is a means of signing both individual domain records and chains of domains so that you know that the domain data and/or NXDOMAIN (No Such Domain) response to your request is authentic, provided you can trust the operators of the higher-level domains up to the DNS root, or another anchor point for which you can check the key.
Assuming that TPB has a domain outside SOPA's jurisdiction, and you either have an anchor for that TLD or trust the root domain, this means that while your ISP can still refuse to give you the address for TPB's domain (with either no response or a server error), it can't supply the wrong address or claim that the domain doesn't exist, since you would immediately know that it's lying.
The operator of TPB would have to be stupid not to enable DNSSEC, if it's available for that TLD, since it serves to prevent visitors from being silently redirected to some other site. Using DNSSEC doesn't give ISPs an additional way of blocking your site; on the contrary, it makes it much more obvious when they attempt to do so.
"The state is that great fiction by which everyone tries to live at the expense of everyone else." - Bastiat
It's not about disabling DNSSEC. DNSSEC allows a resolver (your machine) to verify that the DNS answers it gets (from a cache, an ISP server, or wherever) are authentic records from the DNS hierarchy. Without DNSSEC you just accept whatever you're told on trust. Your ISP, or some script kiddie in Poland, can fuck with the answers and your first clue will be when TPB is just a blank page saying piracy is illegal or call Czeslaw for a good time.
The point is that DNSSEC will still tell the truth even when the government requires your ISP to lie to you. If you ask "Where is TPB?" under DNSSEC the only possible answers are "Here is the true authentic address for TPB" or "Error, someone is fucking with your DNS resolution". The US government would love the answer to be "Here is a US government web site reminding you that you are the property of Corporate America and subject to its whims" but DNSSEC rules that out. For US registries (like com) the US government can just go tell the registry operator to do what it says or go to jail. But to change the answers to the questions in non-US registries the most obvious option US government has is to put a bunch of men with guns on a helicopter, fly into another country and go break down the doors of the relevant DNS registry and insist they change the authentic records so that DNSSEC checks out OK.
Now I'm sure in the heads of the average 60-something senator voting for these measures that sounds proportionate. It's terrorists, or something, right? We're fighting a war here - the blood of patriots must flow and so on. But when you explain to a Navy seal that he's to go risk his neck so some fucker in a Hollywood corner office can afford to buy an extra yacht, that's going to stick.
Nobody is going to give that order. So if you have DNSSEC, the results of SOPA will be that you see errors every time you hit a page the government is censoring. Consider it your daily reminder that the US government works for the guy with the deepest pockets.
Not quite, data caps are there so that ISPs don't have to have the bandwidth that they promise in their ads. There's something really wrong when a company can advertise something and then modify it to be something completely different via fine print that might not even be legible in the ad.
No no, its great.
Is there really a tie in mechanism with DNSSEC?
It is widely understood that SOPA will break DNSSEC, because it requires intermediaries to modify DNS responses, which looks to DNSSEC like a man in the middle attack (because it is one).
That doesn't seem like it breaks DNSSEC so much as DNSSEC exposes such attacks for what they are.
Disclaimer: IANAL. This post is, however, legal advice, and creates an attorney-client relationship.
Just wanted to say, the prudent thing to do here is to buy the games anyway. You can pause the download and it sits in your Steam library as a game you own and you can download it after the next month comes around and your cap is reset.
Random Thoughts From A Diseased Mind (Not For Dummies)
exposes such attacks for what they are.
It certainly does that, but it still breaks DNSSEC because it makes users expect DNSSEC failures under normal operation, which enables fraud because users will subsequently ignore future warnings. It further prevents client software developers from implementing countermeasures that would thwart a man in the middle attack since doing so would succeed just as well in bypassing the DNS blocking.
For example, client software might be designed so that if a DNSSEC failure occurs, the client first tries all configured DNS servers to try to get a valid response. If any of the servers is outside the country, the blocking fails. If not, the client software might then try to act as its own recursive DNS server. (Clients are normally not supposed to do this because it would put extra load on the authoritative DNS servers, but clients are normally not supposed to encounter DNSSEC failures, and doing it only in that rare circumstance would almost certainly not cause serious performance issues.) If the authoritative DNS server is outside the country (which it would be for a 'rogue site') then the blocking fails.
So either the law prohibits client software from being designed that way and the security benefits of DNSSEC are destroyed, or client software is designed to thwart a man in the middle attack and the law is a dead letter because the operators of intermediary DNS servers cannot prevent end users from receiving a true DNS response since an attempt to do so will only cause the client's DNSSEC implementation to detect and bypass the intermediary DNS server.
From what I've read, SOPA would indeed outlaw programs that circumvent its domain theft. It seems like SOPA is going to do nothing but destroy.
The best possible outcome to hope for is for the rest of the world to develop and use DNSSEC and other technologies, and leave the US behind its great firewall. I'd say that I'm glad that I live in Canada, but our ruling Conservatives are pure evil and do whatever the US Government tells them to (and I say this as a semi-conservative myself), so eventually Canada will be just as bad off.
Know of any countries where the politicians aren't bought by special interests and where the country values freedom? Maybe Switzerland. I wonder if they take in immigrants.
Disclaimer: IANAL. This post is, however, legal advice, and creates an attorney-client relationship.