Chris what is your non-biased take on Comcast forging TCP reset packets and terrible quality HD?
I also should mention that reading Wikipedia isn't the most reliable source, although that one is fairly good. I might suggest looking at the following if you don't care for Comcast's write up:
Chris what is your non-biased take on Comcast forging TCP reset packets and terrible quality HD?
Actually I have been working in the IETF to help provide better methods for P2P to work on ISP networks after the issues with the TCP reset packets a few years ago. I am sure you can look up some of the RFC items if you search for them.
If you have a problem with your HD quality, I suggest getting someone to come look at that. Given I am an Internet Engineer, I don't work on that side of the business.
Are you guys running any tests in Seattle at night? DNS lookups regularly fail after midnight and are generally really spotty from midnight on. It's not a connectivity issue because I can always ssh using an ip address even when my web browser can't load pages due to lookup failures.
No we are not running any tests and our DNS is up and responding. If you are having issues, I would suggest stopping by our customer forums at http://forums.comcast.net to get help.
I've been using these months while they've been available for testing. The very nature of DNSSEC kills the 404 helper service, and provides an extra level of security. For anyone that wants to use them now without being migrated automatically someday, just use 75.75.75.75 and 75.75.76.76 for the DNS.
Absolutely correct, and hopefully people realize that we want to make your Internet service a better and safer experience.
What does this mean for webmasters? Are all of us going to need DNSSEC keys on our websites or does this just apply to comcast's array of websites? I wasn't aware that DNS had any kind of security issue which would warrant a revamp. How will this affect the future of the web?
This has little to do with websites and more to do with the zones in the DNS for the websites. This adds an additional layer to protect the DNS from attacks. I suggest if you want more information, please read the following: http://www.dnssec.comcast.net/faq.htm
what happens if the site doesn't want to sign up for dnssec? would comcast block communications with those sites? also it seems dnssec cost additional to the current cost for a site. (just putting that out there)
If a site chooses not to sign their domain, then the DNS will work just like it does now and will not be validated. As for hosting sites, some of them may choose to charge for securing domains. You should check with your provider for additional details.
We have also put together an information site here: http://www.dnssec.comcast.net and an FAQ with additional details: http://www.dnssec.comcast.net/faq.htm.
My router is already set up to ignore Comcast's DHCP provided DNS, and use 8.8.8.8 and 8.8.4.4 anyway... Substitute your own favorite public DNS resolver (or install OpenWRT and use its djbdns if you prefer).
While you could do any of the following, Comcast DNS servers should provide a fast response and better localization than third party resolvers. We also will now have DNSSEC validation turned on to enable another level of security that none of the third party resolvers currently offer.
Hopefully you will give us a try and take a look at http://www.dnssec.comcast.net/faq.htm for details.
Domain helper.. is that the crap that automatically relocates you to some ad serving search website when you input an unrecognized dns in the web browser? That kind of crap is why I switched to 4.1.1.1
We will be disabling Domain Helper on our recursive resolvers and you will also get DNSSEC validation by using our Anycast resolvers. There is no redirection and you will also get the protections enabled by DNSSEC.
OpensDNS has the same flaws as Comcast's Domain Helper service (ie does not return NXDOMAIN), GoogleDNS has some issues I can't remember and for us has pretty significant latency.
Currently neither support DNSSEC validation and with us enabling DNSSEC on our recursive resolvers, we are disabling Domain Helper. Please check out http://www.dnssec.comcast.net/faq.htm for more details.
What this means is that COMCST is now going to tell their customers that your only allowed to visit websites that have joined the system. They may be selling this as security, but make no mistake this is also a huge control system. I may have to cancel my service with them, when this happens. The simply fact is you may have some legimate website who choose willfully NOT to partake in such a control scheme. I may need to visit such a site and COMCST is going to essentially tell me I can't visit that site. No thanks, I don't need a big brother. I'm an adult and I can take care of my own computers and I don't need COMCST protecting me. I don't give a crap what they say, I alone should have the right to decide where I can and can't go on the internet, unless of course you don't believe in freedom. Just give me the fully open internet service I pay for ya dern COMCST Commies!!! Quit interferring with my traffic.
-Anonymous Coward (yeah right like they can't track you down by your ip the way the RIAA is racketering everybody)
You have clearly not read anything about DNSSEC and how this actually ensures you get the traffic you requested without anyone - including Comcast - interfering with your DNS requests. I highly recommend you read http://www.dnssec.comcast.net/faq.htm so you can understand why we are doing this and why the global Internet and DNS is moving to this standard.
Whenever I am offered the opportunity to opt out of something by a company, I know it's probably a good idea to opt out.
Also, I've had very flaky internet service the past week or so, although I am not in this market (Minneapolis area). My equipment all seems to work fine, and of course there could be any number of causes, but this seems interesting.
DNSSEC security is an Internet standard and it means that we are enabling it for our domains and will validate others once it is rolled out globally. I suggest you read through http://www.dnssec.comcast.net/faq.htm which explains why we are rolling this out and what it means for our customers.
Interesting observation and sorry you have not had the best experience, but we have tens of millions of subscribers using our DNS. If you are experiencing issues with DNS, check out http://dns.comcast.net for some tools and other items. You may also want to look at your router/home gateway and see if its doing DNS proxying. Check out RFC5625 for more information.
Absolutely correct. We have offered opt-out DNS servers and even IPv6 resolvers for a while now. You now have another option with these Anycast DNS resolvers.
The point is testing this on smaller TLD. We have been working with.ORG and other TLDs to test DNSSEC for a while now. When the time comes for a signed root and.COM and.NET signed, we will be ready.
You should read our FAQ on the DNSSEC trial, particularly this section:
http://www.dnssec.comcast.net/faq.htm#faq7
What happens to Comcast Domain Helper, which offers DNS redirect services, when you fully implement DNSSEC? We believe that the web error redirection function of Comcast Domain Helper is technically incompatible with DNSSEC. Comcast has always known this and plans to turn off such redirection when DNSSEC is fully implemented. The DNSSEC trial servers we are announcing today do not have Comcast Domain Helper's DNS redirect functionality enabled. We plan to update our IETF Internet Draft on this subject, available at http://tools.ietf.org/html/draft-livingood-dns-redirect, to reflect this in the coming months.
Slashdot Mirror
Stop posting press release posts.
Here is some non-Comcastic information - http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions
Chris what is your non-biased take on Comcast forging TCP reset packets and terrible quality HD?
I also should mention that reading Wikipedia isn't the most reliable source, although that one is fairly good. I might suggest looking at the following if you don't care for Comcast's write up:
https://www.dnssec-deployment.org/
or the RFCs:
http://tools.ietf.org/html/rfc4033
http://tools.ietf.org/html/rfc4034
http://tools.ietf.org/html/rfc4035
Thanks
Chris
Comcast
Stop posting press release posts.
Here is some non-Comcastic information - http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions
Chris what is your non-biased take on Comcast forging TCP reset packets and terrible quality HD?
Actually I have been working in the IETF to help provide better methods for P2P to work on ISP networks after the issues with the TCP reset packets a few years ago. I am sure you can look up some of the RFC items if you search for them.
If you have a problem with your HD quality, I suggest getting someone to come look at that. Given I am an Internet Engineer, I don't work on that side of the business.
Thanks
Chris
Comcast
Are you guys running any tests in Seattle at night? DNS lookups regularly fail after midnight and are generally really spotty from midnight on. It's not a connectivity issue because I can always ssh using an ip address even when my web browser can't load pages due to lookup failures.
No we are not running any tests and our DNS is up and responding. If you are having issues, I would suggest stopping by our customer forums at http://forums.comcast.net to get help.
Thanks
Chris
Comcast
Comcast must have a pretty active presence here- modded to oblivion because I engaged their rep in a public forum.
That is actually pretty funny. At least you have a sense of humor :-)
I've been using these months while they've been available for testing. The very nature of DNSSEC kills the 404 helper service, and provides an extra level of security. For anyone that wants to use them now without being migrated automatically someday, just use 75.75.75.75 and 75.75.76.76 for the DNS.
Absolutely correct, and hopefully people realize that we want to make your Internet service a better and safer experience.
Oh great. CCast sent shills already.
Actually I am one of the engineers that run the DNS at Comcast, but if you consider me a shill, so be it.
What does this mean for webmasters? Are all of us going to need DNSSEC keys on our websites or does this just apply to comcast's array of websites? I wasn't aware that DNS had any kind of security issue which would warrant a revamp. How will this affect the future of the web?
This has little to do with websites and more to do with the zones in the DNS for the websites. This adds an additional layer to protect the DNS from attacks. I suggest if you want more information, please read the following: http://www.dnssec.comcast.net/faq.htm
Thanks
Chris
Comcast
what happens if the site doesn't want to sign up for dnssec? would comcast block communications with those sites? also it seems dnssec cost additional to the current cost for a site. (just putting that out there)
If a site chooses not to sign their domain, then the DNS will work just like it does now and will not be validated. As for hosting sites, some of them may choose to charge for securing domains. You should check with your provider for additional details.
Thanks
Chris
Comcast
Had no idea what it was either until I read this.
http://blogs.techrepublic.com.com/networking/?p=234
We have also put together an information site here: http://www.dnssec.comcast.net and an FAQ with additional details: http://www.dnssec.comcast.net/faq.htm.
Thanks
Chris
Comcast
My router is already set up to ignore Comcast's DHCP provided DNS, and use 8.8.8.8 and 8.8.4.4 anyway... Substitute your own favorite public DNS resolver (or install OpenWRT and use its djbdns if you prefer).
While you could do any of the following, Comcast DNS servers should provide a fast response and better localization than third party resolvers. We also will now have DNSSEC validation turned on to enable another level of security that none of the third party resolvers currently offer.
Hopefully you will give us a try and take a look at http://www.dnssec.comcast.net/faq.htm for details.
Thanks
Chris
Comcast
Domain helper.. is that the crap that automatically relocates you to some ad serving search website when you input an unrecognized dns in the web browser? That kind of crap is why I switched to 4.1.1.1
We will be disabling Domain Helper on our recursive resolvers and you will also get DNSSEC validation by using our Anycast resolvers. There is no redirection and you will also get the protections enabled by DNSSEC.
Thanks
Chris
Comcast
OpensDNS has the same flaws as Comcast's Domain Helper service (ie does not return NXDOMAIN), GoogleDNS has some issues I can't remember and for us has pretty significant latency.
Currently neither support DNSSEC validation and with us enabling DNSSEC on our recursive resolvers, we are disabling Domain Helper. Please check out http://www.dnssec.comcast.net/faq.htm for more details.
Thanks
Chris
Comcast
What this means is that COMCST is now going to tell their customers that your only allowed to visit websites that have joined the system. They may be selling this as security, but make no mistake this is also a huge control system. I may have to cancel my service with them, when this happens. The simply fact is you may have some legimate website who choose willfully NOT to partake in such a control scheme. I may need to visit such a site and COMCST is going to essentially tell me I can't visit that site. No thanks, I don't need a big brother. I'm an adult and I can take care of my own computers and I don't need COMCST protecting me. I don't give a crap what they say, I alone should have the right to decide where I can and can't go on the internet, unless of course you don't believe in freedom. Just give me the fully open internet service I pay for ya dern COMCST Commies!!! Quit interferring with my traffic.
-Anonymous Coward (yeah right like they can't track you down by your ip the way the RIAA is racketering everybody)
You have clearly not read anything about DNSSEC and how this actually ensures you get the traffic you requested without anyone - including Comcast - interfering with your DNS requests. I highly recommend you read http://www.dnssec.comcast.net/faq.htm so you can understand why we are doing this and why the global Internet and DNS is moving to this standard.
Thanks
Chris
Comcast
For those of us on Comcast, what does this mean?
Whenever I am offered the opportunity to opt out of something by a company, I know it's probably a good idea to opt out.
Also, I've had very flaky internet service the past week or so, although I am not in this market (Minneapolis area). My equipment all seems to work fine, and of course there could be any number of causes, but this seems interesting.
DNSSEC security is an Internet standard and it means that we are enabling it for our domains and will validate others once it is rolled out globally. I suggest you read through http://www.dnssec.comcast.net/faq.htm which explains why we are rolling this out and what it means for our customers.
Thanks
Chris
Comcast
Interesting observation and sorry you have not had the best experience, but we have tens of millions of subscribers using our DNS. If you are experiencing issues with DNS, check out http://dns.comcast.net for some tools and other items. You may also want to look at your router/home gateway and see if its doing DNS proxying. Check out RFC5625 for more information.
You noticed correctly. This will put an end to redirection as we deploy DNSSEC.
Thanks
Chris Griffiths
Comcast
Absolutely correct. We have offered opt-out DNS servers and even IPv6 resolvers for a while now. You now have another option with these Anycast DNS resolvers.
Thanks
Chris Griffiths
Comcast
The point is testing this on smaller TLD. We have been working with .ORG and other TLDs to test DNSSEC for a while now. When the time comes for a signed root and .COM and .NET signed, we will be ready.
Thanks
Chris Griffiths
Comcast
You should read our FAQ on the DNSSEC trial, particularly this section:
http://www.dnssec.comcast.net/faq.htm#faq7
What happens to Comcast Domain Helper, which offers DNS redirect services, when you fully implement DNSSEC?
We believe that the web error redirection function of Comcast Domain Helper is technically incompatible with DNSSEC.
Comcast has always known this and plans to turn off such redirection when DNSSEC is fully implemented.
The DNSSEC trial servers we are announcing today do not have Comcast Domain Helper's DNS redirect functionality enabled.
We plan to update our IETF Internet Draft on this subject, available at http://tools.ietf.org/html/draft-livingood-dns-redirect, to reflect this in the coming months.
Curious where you are testing this from. We verified and none of the servers behind our Anycast system are available off-net.
Thanks
Chris Griffiths
Comcast