Comcast DNSSEC Goes Live

An anonymous reader writes "In a blog post, Comcast's Jason Livingood has announced that Comcast has signed all of its (5000+) domains in addition to having all of its customers using DNSSEC-validating resolvers. He adds, 'Now that nearly 20 million households in the U.S. are able to use DNSSEC, we feel it is an important time to urge major domain owners, especially commerce and banking-related sites, to begin signing their domain names.'"

Just in time

There won't be much point to this if SOPA / PIPA passes, requires DNS redirects, and bans circumvention.

Re:SOPA and DNSSEC?

[girlintraining]

I guess I'm not sure how SOPA and DNSSEC overlap, could someone explain it in a couple of sentences? Does DNSSEC hinder or help? I would assume hinder SOPA... I'm going to research more, but was hoping to get a quick brief from someone knowledged...

Well, let's try a car analogy. Before DNSSEC, anyone could put up a road sign, and you'd have no way of knowing whether it would send you the right way or not. There were a few publicized cases of cars going down the wrong road, a few pileups, but most people got to/from work everyday.

However, some very smart people were worried some other smart people could swap the road signs. So they added smaller digital tags on the back of the signs that had a special number encoded in it and the name of the municipality that placed the sign there. You need a special box to tell you what it says. Not many people were keen on spending the money to impliment this, since the only people that could read the special codes were police, firefighters, and some guys riding around in black SUVs. For the majority of drivers, nothing changed.

Separately, these municipalities were threatened with lawsuits by very large companies and the government if they allowed signs to stay up on roads they didn't like, or went to places they didn't like... So they've been busy tearing down signage all over the place to appease these well-monied interests. Sometimes the signs being taken down have the little tags, but most of the time they don't. Drivers that are familiar with the area won't have a problem because they know the address and route already, but younger, and inexperienced drivers might not, and for them, these new laws could keep them from getting to those places.

Re:Just in time!

[TheBrez]

Simple. The technical people at Comcast are highly skilled intelligent people. They aren't senior level techs at one of the largest ISPs in the world by being idiots. The legal department on the other hand is staffed by money-sucking weasels (like all legal departments are) who are supporting stupidity in legislation without bothering to talk to their highly skilled technical people about whether this braindead legislation is even technically POSSIBLE to implement. The technical people no doubt KNOW that SOPA is impossible with DNSSEC. Hence they're encouraging everyone to move to DNSSEC as quickly as possible, so in the event that Congress screws up and passes this abortion of a bill at the behest of the large content providers and intellectual property bandits, they'll find out that it doesn't work on large portions of the Internet, thus pissing off their constituents even more, and causing a large shift in political goodwill towards their opponents.

Has anybody suggested asking the current political candidates their views on SOPA? If you live in the US, and your Congressperson is listed as a Co-sponsor of the bill, or listed as an opponent of the bill, have you contacted them to voice your opinion? Votes are all that matters to politicians. A few hundred calls/emails to their office telling them that this is a flawed bill, and it WILL result in your vote going to their opponent can quickly change their minds on what matters to them.

http://thomas.loc.gov/cgi-bin/bdquery/z?d112:HR03261:@@@P
That's the current list of SOPA co-sponsors.

Re:And how can I use it on my BIND server?

[icebraining]

http://www.imperialviolet.org/2011/06/16/dnssecchrome.html

Re:How about going back to flat-rate data?

[Anthony+Mouse]

Nice, one can get to their absurd caps that much faster. Get rid of the caps and perhaps there might be something worth talking about.

DNSSEC is fine by itself, but it is only a distraction as implemented by Comcast.

Troll rating: 8/10. It was a good, subtle effort. You get people off topic, since data caps are highly contentious and Comcast is unpopular so that will gather several responses, and extra points for getting the first post so that no one with an on-topic post can precede you. In addition to that, you picked a topic that might otherwise have led somewhere productive, because of the tie in between DNSSEC and SOPA (which is an important, relevant, and time-sensitive topic at this point). You may wish to apply for remuneration with pro-SOPA entities if you have not done so already, as they are known to pay compensation for such efforts.

Re:And how can I use it on my BIND server?

[nullchar]

You can fairly easily sign your zones using Bind: http://www.bind9.net/manual/bind/9.3.2/Bv9ARM.ch04.html#DNSSEC

This takes a few steps:
  * Generate keys - a zone-signing key (ZSK) and a key-signing-key (KSK) - usually a pair of keys for each zone
  * Sign your zones - well, the records inside them
  * Now use your zone.signed file as the zonefile that Bind serves up

Next, once you query your server and everything looks good, you need to ship either the DNSKEY record or DS (digest of the key) to your registrar *. They will ship that to the registry, which signs either your key or digest. Most gTLDs (.com/.org) require only DS records, while ccTLDs (.de/.eu) require DNSKEY records.

Then, as long as you're using a DNSSEC aware resolver, you can test the hierarchy of the signed zone:

dig @149.20.64.21 comcast.com any +dnssec

Look for the "ad" bit set in the Flags section. If you just want to see the keys in this example, simply limit dig to that RR type:

dig @149.20.64.21 comcast.com dnskey +multiline +dnssec

DNSKEY 257 is the key-signing-key, which was sent to the registry, while DNSKEY 256 is the zone-signing key. Dig +trace to see the DS records at the .com registry - they host two different digests for the same key tag/id (35356):

dig comcast.com dnskey +multiline +dnssec +trace

You'll often notice zones with multiple keys - you must support more than one key at a time to enable key rotation. E.g. You, as an authoritative server operator, may wish to rotate your zone-signing key fairly often, while you may wish to rotate the key-signing-key once per year. Each registry decides the expiration of the key or digest they are storing.

* = Not all registrars support DNSSEC; once you sign your domain you cannot transfer the domain to a non-DNSSEC enabled registrar. Either you have to un-sign it or transfer it somewhere else.

There is no certificate authority involved, as the DNS hierarchy contains the signature chain, from the root servers, to each TLD, to each domain. One proposed use of DNSSEC is to publish an SSL certificate public key -- then no Certificate Authorities are required! A browser can use the DNSSEC validated response to match the public key (or more likely, fingerprint) to the web server it is connecting with. You can already use DNS to publish SSH key fingerprints, now you can sign that record for even more trust.

Re:SOPA and DNSSEC?

It's not about disabling DNSSEC. DNSSEC allows a resolver (your machine) to verify that the DNS answers it gets (from a cache, an ISP server, or wherever) are authentic records from the DNS hierarchy. Without DNSSEC you just accept whatever you're told on trust. Your ISP, or some script kiddie in Poland, can fuck with the answers and your first clue will be when TPB is just a blank page saying piracy is illegal or call Czeslaw for a good time.

The point is that DNSSEC will still tell the truth even when the government requires your ISP to lie to you. If you ask "Where is TPB?" under DNSSEC the only possible answers are "Here is the true authentic address for TPB" or "Error, someone is fucking with your DNS resolution". The US government would love the answer to be "Here is a US government web site reminding you that you are the property of Corporate America and subject to its whims" but DNSSEC rules that out. For US registries (like com) the US government can just go tell the registry operator to do what it says or go to jail. But to change the answers to the questions in non-US registries the most obvious option US government has is to put a bunch of men with guns on a helicopter, fly into another country and go break down the doors of the relevant DNS registry and insist they change the authentic records so that DNSSEC checks out OK.

Now I'm sure in the heads of the average 60-something senator voting for these measures that sounds proportionate. It's terrorists, or something, right? We're fighting a war here - the blood of patriots must flow and so on. But when you explain to a Navy seal that he's to go risk his neck so some fucker in a Hollywood corner office can afford to buy an extra yacht, that's going to stick.

Nobody is going to give that order. So if you have DNSSEC, the results of SOPA will be that you see errors every time you hit a page the government is censoring. Consider it your daily reminder that the US government works for the guy with the deepest pockets.

Re:How about going back to flat-rate data?

[Anthony+Mouse]

Is there really a tie in mechanism with DNSSEC?

It is widely understood that SOPA will break DNSSEC, because it requires intermediaries to modify DNS responses, which looks to DNSSEC like a man in the middle attack (because it is one).