×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comcast DNSSEC Goes Live

Soulskill posted more than 2 years ago | from the ahead-of-expectations dept.

Networking 165

An anonymous reader writes "In a blog post, Comcast's Jason Livingood has announced that Comcast has signed all of its (5000+) domains in addition to having all of its customers using DNSSEC-validating resolvers. He adds, 'Now that nearly 20 million households in the U.S. are able to use DNSSEC, we feel it is an important time to urge major domain owners, especially commerce and banking-related sites, to begin signing their domain names.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

165 comments

How about going back to flat-rate data? (0, Offtopic)

sethstorm (512897) | more than 2 years ago | (#38657344)

Nice, one can get to their absurd caps that much faster. Get rid of the caps and perhaps there might be something worth talking about.

DNSSEC is fine by itself, but it is only a distraction as implemented by Comcast.

Re:How about going back to flat-rate data? (2, Insightful)

DanTheStone (1212500) | more than 2 years ago | (#38657406)

Are you really getting anywhere near 250 GB of use per month? I know use tends to grow over time, but we use ours constantly and haven't hit over 80 GB or so in a month. And how much additional usage do you really think DNSSEC will generate for an end-user?

Re:How about going back to flat-rate data? (2, Insightful)

wolrahnaes (632574) | more than 2 years ago | (#38657510)

I know I'm a heavy user, but 700+GB a month is not unusual for me and many months I've exceeded 1TB. 250GB is a good cap for an entry-level plan, but it's hilariously low when DOCSIS 3 speeds are in play.

Re:How about going back to flat-rate data? (0, Troll)

Anonymous Coward | more than 2 years ago | (#38657566)

Quit pirating 1/2 the content of Hollywood and you'll come under the cap.

Re:How about going back to flat-rate data? (3, Informative)

Dan667 (564390) | more than 2 years ago | (#38657748)

if you bought any ridiculously cheap games from Valve's Steam service over the holidays you could hit that without even spending $20.

Re:How about going back to flat-rate data? (-1)

NoisySplatter (847631) | more than 2 years ago | (#38657856)

I'd like to see your logic behind this? Only $30 for 250GB worth of games doesn't seem very likely.

Re:How about going back to flat-rate data? (1)

letherial (1302031) | more than 2 years ago | (#38658302)

he cant dream? well then again, with some games...250GB game may turn out to be the dumbest, longest game ever...EA presents 'a waste of space'.

Re:How about going back to flat-rate data? (1, Informative)

blackraven14250 (902843) | more than 2 years ago | (#38658790)

It's an exaggeration, but there were massive sales that meant you could fairly easily hit 250GB if you bought a few of the games that were discounted 50%+

Re:How about going back to flat-rate data? (1)

Nemyst (1383049) | more than 2 years ago | (#38659242)

I know my (generally restrictive, but big in Canada) 120gb cap forced me to stop buying games on Steam as I'm nearly through the cap and I still have a week to go. LA Noire just wouldn't have fit in what I had left.

Re:How about going back to flat-rate data? (2)

Ihmhi (1206036) | more than 2 years ago | (#38660324)

Just wanted to say, the prudent thing to do here is to buy the games anyway. You can pause the download and it sits in your Steam library as a game you own and you can download it after the next month comes around and your cap is reset.

Re:How about going back to flat-rate data? (0)

Anonymous Coward | more than 2 years ago | (#38658342)

How is this informative? It's blatantly wrong!

Re:How about going back to flat-rate data? (1)

Anonymous Coward | more than 2 years ago | (#38657770)

That's always helpful. Accuse those that use more bandwidth than you of pirating because there is no conceivably legitamite way someone could use that in a month. That's always helpful.

Re:How about going back to flat-rate data? (1)

hedwards (940851) | more than 2 years ago | (#38658484)

Except that caps are typically up and down. Personally, I've used nearly 300gb in a single month just on crashplan.

Re:How about going back to flat-rate data? (3, Informative)

hawguy (1600213) | more than 2 years ago | (#38657638)

I know I'm a heavy user, but 700+GB a month is not unusual for me and many months I've exceeded 1TB. 250GB is a good cap for an entry-level plan, but it's hilariously low when DOCSIS 3 speeds are in play.

What do you download that exceeds 700+GB? That's 25GB/day, which seems like an awful lot of data.

My household watches several hours of Netflix a day (we have no cable TV and watch Netflix streaming TV shows & movies), and as far as I know, we've never hit our Comcast cap.

Re:How about going back to flat-rate data? (4, Funny)

Xoltri (1052470) | more than 2 years ago | (#38657704)

Probably high definition Japanese porn, which is ironic since it's blurred out anyway.

Re:How about going back to flat-rate data? (2)

Dyinobal (1427207) | more than 2 years ago | (#38657724)

Ever hear of High definition porn? Silly I know but porn sites are typically the leaders, when it comes to streaming content quality. You can practically count the ingrown hairs, from a pornstars Brazilian wax.

Re:How about going back to flat-rate data? (3, Funny)

hawguy (1600213) | more than 2 years ago | (#38657794)

Ever hear of High definition porn? Silly I know but porn sites are typically the leaders, when it comes to streaming content quality. You can practically count the ingrown hairs, from a pornstars Brazilian wax.

Hey, I grew up in the day of ASCII porn that was printed out on 132 column green-bar paper - I'd probably be appalled at what I could see in High Def video porn. And based on your comment, it does sound appalling.

Re:How about going back to flat-rate data? (0)

Anonymous Coward | more than 2 years ago | (#38659426)

So that "blurring" is like replacing certain HD bits with those ascii graphics.
Wouldn't that defeat the purpose of porn video? Guess someone wants to revive porn radio. (Did that ever exist?)

Re:How about going back to flat-rate data? (0)

Anonymous Coward | more than 2 years ago | (#38660492)

Yep, it's was called pay-per-view/skinimax back in the 90's.

You could even pay extra to get the Video!

(seriously, you could just go to the porn channels and listen to the un-obscured audio, even though the video was scrambled.)

Re:How about going back to flat-rate data? (1)

CAIMLAS (41445) | more than 2 years ago | (#38660290)

Meh, 250GB is still a lot for a month.

Consider that a decent self-ripped DVD is only around 2GB, and a good blueray around 8GB. That's around 2 hours of high definition video streaming per day, for a month, with a 250GB allocation.

These days, games are the big consumers of bandwidth, I'd imagine. Spend $30 on cheap games on Steam and you can eat through that 250GB pretty quickly.

Re:How about going back to flat-rate data? (1)

Anonymous Coward | more than 2 years ago | (#38658548)

2.2 GB per hour (assuming HD + 5.1 audio) x 4 hours per day x 30 days per cycle = 264 GB for neflix alone.

Re:How about going back to flat-rate data? (1)

Zakabog (603757) | more than 2 years ago | (#38658024)

250GB / month is a constant speed of a little under 100KB/sec. I use more bandwidth than that just running a VPN to a few computers in the office. While I may be far from the average user, I'm sure there's a Comcast user out there with a legitimate reason to use over 250GB / month.

Re:How about going back to flat-rate data? (1)

stickyboot (845510) | more than 2 years ago | (#38658388)

You apparently do not understand the purpose of the internet. Data caps are purely a profit mechanism. The fundamental purpose of the internet is to send data cheaply to any any other point on the network. Implementing arbitrary data caps cripples its ability to do that.

Re:How about going back to flat-rate data? (3, Insightful)

hedwards (940851) | more than 2 years ago | (#38658500)

Not quite, data caps are there so that ISPs don't have to have the bandwidth that they promise in their ads. There's something really wrong when a company can advertise something and then modify it to be something completely different via fine print that might not even be legible in the ad.

Re:How about going back to flat-rate data? (0)

Anonymous Coward | more than 2 years ago | (#38658858)

No, their isn't something wrong. You are upset because you aren't getting what you want for the price you want. Part of the problem is that many people simply cannot understand what the exact definition of the service means. Figuring out that a 20Mbps service is much faster than 56k modem is already pushing many people's technical understanding, this is what they advertise with phrases like "Watch movies instantly".

Re:How about going back to flat-rate data? (1)

scubamage (727538) | more than 2 years ago | (#38659134)

No, the fundamental purpose of the internet is to distribute information to any point of the world, and outside of where the bomb dropped, the system work in the event of a nuclear war. In its outset, cheap was no part of the equation, its just so commoditized and ubiquitous now that there is an expectation.

Re:How about going back to flat-rate data? (1)

Socialism is win! (1982128) | more than 2 years ago | (#38659558)

Once the revolution has been prosecuted, The People's Revolutionary Council on Data Networking will ensure that all data caps are applied equally.

Re:How about going back to flat-rate data? (1)

scdeimos (632778) | more than 2 years ago | (#38659328)

I used over 12.5GB in a few hours just watching some of TotalHalibut's "WTF is...[Game]" videos on YouTube. I'm sure 250 GB in a month would be a cinch.

Re:How about going back to flat-rate data? (5, Insightful)

Anthony Mouse (1927662) | more than 2 years ago | (#38657844)

Nice, one can get to their absurd caps that much faster. Get rid of the caps and perhaps there might be something worth talking about.

DNSSEC is fine by itself, but it is only a distraction as implemented by Comcast.

Troll rating: 8/10. It was a good, subtle effort. You get people off topic, since data caps are highly contentious and Comcast is unpopular so that will gather several responses, and extra points for getting the first post so that no one with an on-topic post can precede you. In addition to that, you picked a topic that might otherwise have led somewhere productive, because of the tie in between DNSSEC and SOPA (which is an important, relevant, and time-sensitive topic at this point). You may wish to apply for remuneration with pro-SOPA entities if you have not done so already, as they are known to pay compensation for such efforts.

Re:How about going back to flat-rate data? (1)

Billly Gates (198444) | more than 2 years ago | (#38658612)

Is there really a tie in mechanism with DNSSEC?

Not to sound cynical, but DNS poisoning is a very real problem that I am surprised hackers have not succeeded in doing yet. For the record I hate Comcast and I am in no way defending htem. When I used to play WOW the users who always lagged or were DCed were comcast customers. Reliability is a joke. ... back to the topic DNSSEC is just encrypted DNS lookups to prevent man in the middle attacks and is used in many institutions such as banks and militaries. Hairfeet who is a top poster on /, uses Commodo Dragon as his browser simply because it uses DNSSEC to its own secure DNS servers that filter out malware domains.

I use OpenDNS as it is simple and easy to use on my computer and filters bad domains. However, it is still vulnerable to man in the middle attacks because it is not encrypted. I would prefer DNSSEC if I could actually do it.

Re:How about going back to flat-rate data? (5, Insightful)

Anthony Mouse (1927662) | more than 2 years ago | (#38659186)

Is there really a tie in mechanism with DNSSEC?

It is widely understood that SOPA will break DNSSEC, because it requires intermediaries to modify DNS responses, which looks to DNSSEC like a man in the middle attack (because it is one).

Re:How about going back to flat-rate data? (2)

MechaStreisand (585905) | more than 2 years ago | (#38660156)

That doesn't seem like it breaks DNSSEC so much as DNSSEC exposes such attacks for what they are.

Just in time (5, Insightful)

Anonymous Coward | more than 2 years ago | (#38657348)

There won't be much point to this if SOPA / PIPA passes, requires DNS redirects, and bans circumvention.

Re:Just in time (3, Informative)

girlintraining (1395911) | more than 2 years ago | (#38657594)

Only DNS that is signed by your government overlords will be allowed. All other DNS will be shot, banninated from the internets, and subject to prosecution.

There. DNSSEC has a point now with SOPA. :)

Re:Just in time (1)

Billly Gates (198444) | more than 2 years ago | (#38658632)

If I recall DNSSEC is simply encrypted DNS lookups to prevent man in the middle attacks. It is not a COA or anything like that. Militaries from around the world use it and it is not a tracking mechanism no more than regular DNS.

If OpenDNS had DNSSEC for free I would be estatic as I use OpenDNS on my computers at home to prevent known bad malware domains and recommend all slashdotters to use it.

The extra security would be good as the government can look up NOA records with standard DNS anyway.

Re:Just in time (4, Informative)

ImprovOmega (744717) | more than 2 years ago | (#38658716)

Signed, not encrypted. It's designed to protect data integrity, not confidentiality. It stops spoofing attacks basically, so that a rogue group can't redirect traffic intended for bofa.com, for example, to their own servers to do whatever evil with.

OpenDNS DNSCrypt (1)

Anonymous Coward | more than 2 years ago | (#38658940)

If you're so gung ho about OpenDNS you might like their DNSCrypt. It basically tunnels DNS through an encrypted tunnel direct to OpenDNS. It's not DNSSEC. But if you trust OpenDNS to not be evil or pwned it might be better since it would immediately apply to all sites, not just the few that currently implement DNSSEC.

Re:Just in time (1)

Reelin (2447528) | more than 2 years ago | (#38658708)

So here's what's confusing to me, isn't Comcast in support of SOPA/PIPA? And isn't implementing DNSSEC under that plan one of the major issues with it? So wtf is going on here? It's like they're saying one thing and doing another.....

DNSSEC (4, Insightful)

girlintraining (1395911) | more than 2 years ago | (#38657374)

Yes, and for our next trick, we're going to disable end-users' ability to do their own DNS lookups to only our servers -or- selectively deny DNS lookups that have a destination outside the United States. You know... to stop people from getting around SOPA and other anti-piracy measures. YAY DNSSEC! /sarcasm.

Re:DNSSEC (1)

StikyPad (445176) | more than 2 years ago | (#38657574)

SOPA breaks DNSSEC -- that's one of its main problems from a technological perspective. And there's no way to prevent someone from using another DNS server, or just a hosts file.

Re:DNSSEC (2)

girlintraining (1395911) | more than 2 years ago | (#38657698)

SOPA breaks DNSSEC -- that's one of its main problems from a technological perspective.

I hear this argument all the time. "Now we've got Criminal X! .. Oh wait, he's encrypted his drive with 1024 bit military grade encryption! It'll cost BILLIONS to crack the key! We're hosed." ... More likely it's "Huh. Drive's encrypted. Joey, get the hose."

DNSSEC is no proof against the men with shotguns and a court order saying "You will remove this domain from your server... or else."

If anything, DNSSEC makes SOPA more powerful because I can't just setup a rogue DNS server, change it to authoritative for that domain, and have it serve the IP address of that server out to its clients.

Re:DNSSEC (3, Insightful)

Anthony Mouse (1927662) | more than 2 years ago | (#38657958)

I hear this argument all the time. "Now we've got Criminal X! .. Oh wait, he's encrypted his drive with 1024 bit military grade encryption! It'll cost BILLIONS to crack the key! We're hosed." ... More likely it's "Huh. Drive's encrypted. Joey, get the hose."

1) That is not even close to the same argument as the one being made.
2) "Getting the hose" is unconstitutional. It may be that law enforcement does not see fit to follow the constitution, but in that case they have no need for the hose: They can just lock you up on false charges without ever reading the disk.

DNSSEC is no proof against the men with shotguns and a court order saying "You will remove this domain from your server... or else."

Removing the domain would break DNSSEC, since the removal would not be signed and the signing entity may not be subject to US jurisdiction (or may refuse on first amendment grounds etc.)

More than that, the user can trivially work around the removal of the DNS entry merely by using a DNS server in another country. Effectively preventing the user from communicating with servers in other countries would severely break the internet, which is part of the problem that people are concerned about.

Re:DNSSEC (3, Insightful)

girlintraining (1395911) | more than 2 years ago | (#38658636)

2) "Getting the hose" is unconstitutional. It may be that law enforcement does not see fit to follow the constitution, but in that case they have no need for the hose: They can just lock you up on false charges without ever reading the disk.

No, haven't you heard? They're making legislation now to just have an ex-parte hearing and declare your citizenship void because you are "hostile" to the United States. Constitutional rights are only for US citizens, don'tchaknow.

Re:DNSSEC (1)

mrchaotica (681592) | more than 2 years ago | (#38659656)

Constitutional rights are only for US citizens, don'tchaknow.

Except they're not... not that the Powers That Be would care.

Re:DNSSEC (1)

Wrath0fb0b (302444) | more than 2 years ago | (#38658018)

DNSSEC is no proof against the men with shotguns and a court order saying "You will remove this domain from your server... or else."

Nor was it ever intended to be -- those sites (i.e. the ones within range of the Marshals) are already easy enough to deal with lawfully. The issue was when some guy in Kerbleckistan runs a server that you've got a court order against, you can't do much unless you've got the power to order DNS servers not to give out his IP or black him out of the BGs (with Marshals to back it up).

Re:DNSSEC (0)

Anonymous Coward | more than 2 years ago | (#38659462)

And there's no way to prevent someone from using another DNS server, or just a hosts file.

I know we consider Comcast idiots, but I'm going to go out on a limb and assume that they know the IP addresses of their DNS servers and run firewalls. Limit the DNS ports to approved IPs and you've "magically" prevented someone from using another DNS server. Sure there are ways to get around it, but not in ways that most people will know.

Yeah, hosts files are great replacements for a functioning DNS....

Re:DNSSEC (2)

DigiShaman (671371) | more than 2 years ago | (#38657616)

Quite a few big companies use OpenDNS. If business and users get blocked from using a 3rd party DNS lookup providers, there will be hell to pay. Nothing sucks balls worse that being forced to use a shitty-ass DNS lookup server hosted by a shitty-ass ISP in the middle of nowhere. Hosted off an old Dell Dimension collecting dust in the corner someplace no doubt.

Re:DNSSEC (1, Insightful)

mcrbids (148650) | more than 2 years ago | (#38658610)

Nothing sucks balls worse that being forced to use a shitty-ass DNS lookup server hosted by a shitty-ass ISP in the middle of nowhere.

This is what we'd call a first world problem.... I can think of quite a few things more unpleasant than being forced to use a DNS server hosted out in the middle of nowhere...

Re:DNSSEC (1)

DigiShaman (671371) | more than 2 years ago | (#38660360)

Oh come on! This whole topic is a first world problem. But thanks for making me out to be detached from reality.

Re:DNSSEC (2)

jon3k (691256) | more than 2 years ago | (#38657914)

They can't outright block DNS traffic. They attempted to throttle traffic, not even block, and got their hand slapped. And when you start monkeying with traffic it gets a lot harder to fall back on Safe Harbor provisions of the DMCA, which can put them in a very precarious position.

How can I tell? (0)

Anonymous Coward | more than 2 years ago | (#38657416)

If I go to a website that has DNSSEC, how do I know? I just went to www.comcast.com, and there is no indication or message that DNSSEC is active.

And how can I use it on my BIND server? (2)

rduke15 (721841) | more than 2 years ago | (#38657734)

I have a dozen domains on my own server. If I would like to use DNSSEC, is there a good practical how-to guide on what I would have to do to my bind configuration?

And would I need to buy a certificate? Currently I just use my own CA and certificates for encryption of my mail traffic and a few private web pages. I really don't want to give money to some anonymous foreign company so that they can "certify" who I am. After all, I should know who I am better than they would.

Re:And how can I use it on my BIND server? (3, Informative)

Above (100351) | more than 2 years ago | (#38657904)

There is no need to buy a certificate. DNSSEC does not use X.509 certificates. You generate your own keys and provide them to your registrar to be published upstream.

ISC has recently added "auto DNSSEC signing" to BIND, which may be the easiest way for most folks to add DNSSEC. This page has some information:

http://www.isc.org/community/blog/201006/bind-972-and-and-automatic-dnssec-signing

Here's a post with more info:

http://netlinxinc.com/netlinx-blog/45-dns/133-bind-970-part-4-automatic-zone-signing.html

Re:And how can I use it on my BIND server? (5, Informative)

nullchar (446050) | more than 2 years ago | (#38658150)

You can fairly easily sign your zones using Bind: http://www.bind9.net/manual/bind/9.3.2/Bv9ARM.ch04.html#DNSSEC [bind9.net]

This takes a few steps:
  * Generate keys - a zone-signing key (ZSK) and a key-signing-key (KSK) - usually a pair of keys for each zone
  * Sign your zones - well, the records inside them
  * Now use your zone.signed file as the zonefile that Bind serves up

Next, once you query your server and everything looks good, you need to ship either the DNSKEY record or DS (digest of the key) to your registrar *. They will ship that to the registry, which signs either your key or digest. Most gTLDs (.com/.org) require only DS records, while ccTLDs (.de/.eu) require DNSKEY records.

Then, as long as you're using a DNSSEC aware resolver, you can test the hierarchy of the signed zone:

dig @149.20.64.21 comcast.com any +dnssec

Look for the "ad" bit set in the Flags section. If you just want to see the keys in this example, simply limit dig to that RR type:

dig @149.20.64.21 comcast.com dnskey +multiline +dnssec

DNSKEY 257 is the key-signing-key, which was sent to the registry, while DNSKEY 256 is the zone-signing key. Dig +trace to see the DS records at the .com registry - they host two different digests for the same key tag/id (35356):

dig comcast.com dnskey +multiline +dnssec +trace

You'll often notice zones with multiple keys - you must support more than one key at a time to enable key rotation. E.g. You, as an authoritative server operator, may wish to rotate your zone-signing key fairly often, while you may wish to rotate the key-signing-key once per year. Each registry decides the expiration of the key or digest they are storing.

* = Not all registrars support DNSSEC; once you sign your domain you cannot transfer the domain to a non-DNSSEC enabled registrar. Either you have to un-sign it or transfer it somewhere else.

There is no certificate authority involved, as the DNS hierarchy contains the signature chain, from the root servers, to each TLD, to each domain. One proposed use of DNSSEC is to publish an SSL certificate public key -- then no Certificate Authorities are required! A browser can use the DNSSEC validated response to match the public key (or more likely, fingerprint) to the web server it is connecting with. You can already use DNS to publish SSH key fingerprints [ietf.org], now you can sign that record for even more trust.

Re:And how can I use it on my BIND server? (2)

mcrbids (148650) | more than 2 years ago | (#38658744)

One proposed use of DNSSEC is to publish an SSL certificate public key -- then no Certificate Authorities are required!

I have felt that this is a good idea for a very long, long, long time. The thing on the Internet that tells you where to go to get to a domain name is the DNS server. Thus, the owner of the DNS server really should be the source of the certificate public keys, not some random 3rd party whose true interests lie in selling certificates more cheaply and doing just enough certification that they aren't actually deemed to be insecure.

It's a race to the bottom. DNSSEC, on the other hand, allows the owners of a domain to determine just how much they take security properly.

Re:And how can I use it on my BIND server? (3, Informative)

hardaker (32597) | more than 2 years ago | (#38659458)

Signing you own zone is trivial and you don't need to pay anyone. I even created a simple, short video on the subject using the DNSSEC-Tools components: http://www.youtube.com/watch?v=7ksgTFxAg6U [youtube.com]

Though I'm associated with the above project, I actually don't care what tool set you use: just sign your zone!

Re:How can I tell? (1)

icebraining (1313345) | more than 2 years ago | (#38657792)

Only if the browser tells you, and I think they don't, at least for now. There's an addon for Firefox, though.

Re:How can I tell? (1)

scdeimos (632778) | more than 2 years ago | (#38659482)

How well does that [dnssec-validator.cz] work with servers behind round-robin DNS? Or isn't that possible with DNSSEC?

Also funny that it says www.comcast.com [comcast.com] is *not* secured by DNSSEC, contrary to TFA.

Re:How can I tell? (0)

Anonymous Coward | more than 2 years ago | (#38659548)

If you want to know, you can get a Firefox addon that will add either a greyed out key (DNSSEC not supported for this DNS name) a green key (verified by DNSSEC) or a yellow key (DNSSEC might work for this domain, but your machine isn't configured to enable it).

Without the add-on, if DNSSEC is working for you, it will just work, protecting those domains which have it enabled.

SOPA and DNSSEC? (1)

Tynin (634655) | more than 2 years ago | (#38657430)

I guess I'm not sure how SOPA and DNSSEC overlap, could someone explain it in a couple of sentences? Does DNSSEC hinder or help? I would assume hinder SOPA... I'm going to research more, but was hoping to get a quick brief from someone knowledged...

Re:SOPA and DNSSEC? (5, Informative)

girlintraining (1395911) | more than 2 years ago | (#38657544)

I guess I'm not sure how SOPA and DNSSEC overlap, could someone explain it in a couple of sentences? Does DNSSEC hinder or help? I would assume hinder SOPA... I'm going to research more, but was hoping to get a quick brief from someone knowledged...

Well, let's try a car analogy. Before DNSSEC, anyone could put up a road sign, and you'd have no way of knowing whether it would send you the right way or not. There were a few publicized cases of cars going down the wrong road, a few pileups, but most people got to/from work everyday.

However, some very smart people were worried some other smart people could swap the road signs. So they added smaller digital tags on the back of the signs that had a special number encoded in it and the name of the municipality that placed the sign there. You need a special box to tell you what it says. Not many people were keen on spending the money to impliment this, since the only people that could read the special codes were police, firefighters, and some guys riding around in black SUVs. For the majority of drivers, nothing changed.

Separately, these municipalities were threatened with lawsuits by very large companies and the government if they allowed signs to stay up on roads they didn't like, or went to places they didn't like... So they've been busy tearing down signage all over the place to appease these well-monied interests. Sometimes the signs being taken down have the little tags, but most of the time they don't. Drivers that are familiar with the area won't have a problem because they know the address and route already, but younger, and inexperienced drivers might not, and for them, these new laws could keep them from getting to those places.

Re:SOPA and DNSSEC? (1)

Synerg1y (2169962) | more than 2 years ago | (#38657670)

I like the analogy, it explains both SOPA & DNSSEC, but unless I'm missing something, they are not related in any relevant way, where one actually requires the other. Picture this, I go to the pirate bay, but SOPA blocks me, so I hop on a. a proxy b. a non-usa dns server. I don't need b but some people do. Now... to the point... if tpb is running dnssec and the dns server i'm on doesn't have a valid signature for tpb cert, and doesn't allow non-cert users, i'd be screwed. Except... the web admin of tpb isn't that fuckin stupid. I mean he'd have to live under a rock to not know to disable dnssec on tpb lol. Thus they can only be related in really abstract scenarios.

Correct me if I'm wrong :) I haven't done heavy reading on this, but signed certs (public/private key model) aren't new except maybe to dns.

Re:SOPA and DNSSEC? (1)

jon3k (691256) | more than 2 years ago | (#38657936)

SOPA doesn't stop any competent person from getting to anything.

Re:SOPA and DNSSEC? (1)

Anonymous Coward | more than 2 years ago | (#38658516)

So says a future example of somebody who makes a couple mistakes and gets their IP logged... Or you never do anything but are merely accused of it.

It moves warnings and civil legal actions to the government so the tax payers have to pay to go after these people for free.

Re:SOPA and DNSSEC? (4, Insightful)

JesseMcDonald (536341) | more than 2 years ago | (#38658148)

The relationship is the other way around. SOPA is a law which forces ISPs and registrars within its jurisdiction to block certain DNS requests. DNSSEC is a means of signing both individual domain records and chains of domains so that you know that the domain data and/or NXDOMAIN (No Such Domain) response to your request is authentic, provided you can trust the operators of the higher-level domains up to the DNS root, or another anchor point for which you can check the key.

Assuming that TPB has a domain outside SOPA's jurisdiction, and you either have an anchor for that TLD or trust the root domain, this means that while your ISP can still refuse to give you the address for TPB's domain (with either no response or a server error), it can't supply the wrong address or claim that the domain doesn't exist, since you would immediately know that it's lying.

The operator of TPB would have to be stupid not to enable DNSSEC, if it's available for that TLD, since it serves to prevent visitors from being silently redirected to some other site. Using DNSSEC doesn't give ISPs an additional way of blocking your site; on the contrary, it makes it much more obvious when they attempt to do so.

Re:SOPA and DNSSEC? (1)

nullchar (446050) | more than 2 years ago | (#38658210)

You're wrong because DNSSEC is backwards compatible. The authoritative servers can sign TPB.org tomorrow, and until people use DNSSEC-enforced DNS resolvers, it won't matter. Your regular old DNS resolver will simply ignore the RRSIG records and the signed hierarchy. Now if you're a Comcast user, you will be able to validate the response: meaning visiting TBP.org won't send you to a bogus site because the A record can't be poisoned.

Re:SOPA and DNSSEC? (1)

jroysdon (201893) | more than 2 years ago | (#38659760)

You can validate all responses with no DNSSEC support in your DNS resolvers. All you need is the root zone key and verify from there down. Example: run your own BIND server with DNSSEC enabled and never use your ISP's.

Re:SOPA and DNSSEC? (5, Informative)

Anonymous Coward | more than 2 years ago | (#38658290)

It's not about disabling DNSSEC. DNSSEC allows a resolver (your machine) to verify that the DNS answers it gets (from a cache, an ISP server, or wherever) are authentic records from the DNS hierarchy. Without DNSSEC you just accept whatever you're told on trust. Your ISP, or some script kiddie in Poland, can fuck with the answers and your first clue will be when TPB is just a blank page saying piracy is illegal or call Czeslaw for a good time.

The point is that DNSSEC will still tell the truth even when the government requires your ISP to lie to you. If you ask "Where is TPB?" under DNSSEC the only possible answers are "Here is the true authentic address for TPB" or "Error, someone is fucking with your DNS resolution". The US government would love the answer to be "Here is a US government web site reminding you that you are the property of Corporate America and subject to its whims" but DNSSEC rules that out. For US registries (like com) the US government can just go tell the registry operator to do what it says or go to jail. But to change the answers to the questions in non-US registries the most obvious option US government has is to put a bunch of men with guns on a helicopter, fly into another country and go break down the doors of the relevant DNS registry and insist they change the authentic records so that DNSSEC checks out OK.

Now I'm sure in the heads of the average 60-something senator voting for these measures that sounds proportionate. It's terrorists, or something, right? We're fighting a war here - the blood of patriots must flow and so on. But when you explain to a Navy seal that he's to go risk his neck so some fucker in a Hollywood corner office can afford to buy an extra yacht, that's going to stick.

Nobody is going to give that order. So if you have DNSSEC, the results of SOPA will be that you see errors every time you hit a page the government is censoring. Consider it your daily reminder that the US government works for the guy with the deepest pockets.

Re:SOPA and DNSSEC? (1)

shentino (1139071) | more than 2 years ago | (#38657578)

Actually, what's to stop SOPA from going after verisign and telling them to change the zone info directly?

DNSSEC only authenticates.

But it doesn't stop a legal process from changing the authoritative information itself.

Re:SOPA and DNSSEC? (1)

nullchar (446050) | more than 2 years ago | (#38658184)

Exactly, SOPA DNS blocking won't be limited to recursive resolvers at ISPs, it will be implemented at the registry level. VeriSign will get the order and remove the name servers for ThePirateBay.com from the .com zone file.

Comcast supports SOPA (4, Insightful)

pavon (30274) | more than 2 years ago | (#38657436)

Given that Comcast has been more proactive about implementing DNSSEC than all the other major ISPs, I was very surprised to learn that they support SOPA [house.gov], which will make it impossible to for ISPs to implement DNSSEC. I assume that their stance is motivated by the fact that they own half of NBC, and I wonder how their engineering staff plans on handling this situation if the bill is passed.

Re:Comcast supports SOPA (1)

Captain Splendid (673276) | more than 2 years ago | (#38657468)

and I wonder how their engineering staff plans on handling this situation if the bill is passed.

Belatedly, and with much gnashing of teeth? I mean, it's not like corporate divisions play well together...

Re:Comcast supports SOPA (0)

Anonymous Coward | more than 2 years ago | (#38658180)

Right hand does not know what the left hand is doing. This will result in some entertainment.

Be right back, going to get some popcorn and one of those bladder-buster drinks.

Re:Comcast supports SOPA (3, Informative)

djl4570 (801529) | more than 2 years ago | (#38657580)

Here's a place to start: http://en.wikipedia.org/wiki/SOPA#Negative_impact_on_DNS.2C_DNSSEC_and_Internet_security [wikipedia.org] It's Wikipedia so verify the cites

Re:Comcast supports SOPA (4, Interesting)

shentino (1139071) | more than 2 years ago | (#38657592)

DNSSEC won't prevent SOPA from being enforced.

The registries holding the authoritative records can still be compelled to change the master data they send.

Re:Comcast supports SOPA (0)

Anonymous Coward | more than 2 years ago | (#38657712)

DNSSEC won't prevent SOPA from being enforced.

The registries holding the authoritative records can still be compelled to change the master data they send.

Not if they're in .ca, .org, or any of hundreds of other TLDs that aren't controlled by a US-based company.

Re:Comcast supports SOPA (1)

rduke15 (721841) | more than 2 years ago | (#38657774)

Not if they're in .ca, .org, or any of hundreds of other TLDs that aren't controlled by a US-based company

Do you mean that it would only affect .com domains? In that case, what's all the fuss about. If it only targets spammers, who cares?

Re:Comcast supports SOPA (1)

The End Of Days (1243248) | more than 2 years ago | (#38658606)

Hey, if these people would put half the energy into creating something as they do bitching that they can't get the creations of others for free... well, I don't know, do I? Because they spend all of their energy bitching.

Nope (3, Informative)

pavon (30274) | more than 2 years ago | (#38657828)

In the case of registries outside of US jurisdiction, SOPA requires all ISPs within the US to filter domain name requests for allegedly infringing sites, when ordered by the US Attorney General.

Re:Nope (1)

Anonymous Coward | more than 2 years ago | (#38658066)

Yup, but DNSSEC means this will cause an error. You can't "just" censor the requests. DNSSEC can tell the difference between the legit answer and any fake answer or non-answer.

ie if you're an ISP the Attorney General is asking you to eat an enormous customer support bill in order that some other company can get richer.

Re:Nope (1)

failedlogic (627314) | more than 2 years ago | (#38658674)

Pfft. defeating SOPA is easy.

1. Become the US Attorney General.
2. Run your own root DNS server
???
4. Profit!!

Now, that wasn't too hard.

Re:Comcast supports SOPA (1)

DigiShaman (671371) | more than 2 years ago | (#38657656)

They will be forced to kick the sand castle and stick you -the subscriber- with the bill via increased subscription rates.

Re:Comcast supports SOPA (1)

Synerg1y (2169962) | more than 2 years ago | (#38657694)

Of course they do, they wanted to throttle p2p bandwidth back in the day and got shot down. They are very very conscientious of their bandwidth for how big they are.

vip (-1, Offtopic)

MedinaAndrew (2550188) | more than 2 years ago | (#38657584)

my co-worker's mother-in-law makes $74/hour on the laptop. She has been without a job for 8 months but last month her income was $8417 just working on the laptop for a few hours. Here's the site to read more... makecash16.com

Just in time! (0)

Anonymous Coward | more than 2 years ago | (#38657608)

Just in time for...that SOPA bill to break it? The same SOPA that Comcast supports?

I'm confused now. Why are they implementing a system that will break once the laws they support get passed?

Re:Just in time! (5, Interesting)

TheBrez (1748) | more than 2 years ago | (#38657810)

Simple. The technical people at Comcast are highly skilled intelligent people. They aren't senior level techs at one of the largest ISPs in the world by being idiots. The legal department on the other hand is staffed by money-sucking weasels (like all legal departments are) who are supporting stupidity in legislation without bothering to talk to their highly skilled technical people about whether this braindead legislation is even technically POSSIBLE to implement. The technical people no doubt KNOW that SOPA is impossible with DNSSEC. Hence they're encouraging everyone to move to DNSSEC as quickly as possible, so in the event that Congress screws up and passes this abortion of a bill at the behest of the large content providers and intellectual property bandits, they'll find out that it doesn't work on large portions of the Internet, thus pissing off their constituents even more, and causing a large shift in political goodwill towards their opponents.

Has anybody suggested asking the current political candidates their views on SOPA? If you live in the US, and your Congressperson is listed as a Co-sponsor of the bill, or listed as an opponent of the bill, have you contacted them to voice your opinion? Votes are all that matters to politicians. A few hundred calls/emails to their office telling them that this is a flawed bill, and it WILL result in your vote going to their opponent can quickly change their minds on what matters to them.

http://thomas.loc.gov/cgi-bin/bdquery/z?d112:HR03261:@@@P [loc.gov]
That's the current list of SOPA co-sponsors.

comcast also has a lot clueless mangers / PHB (1)

Joe_Dragon (2206452) | more than 2 years ago | (#38658098)

With the size of comacst and how it's tech is setup people in one area do not know what the other is doing.

Being build on lot's systems that became comcast by buying up other systems does not help them stay on the same page.

Some times the call center has a had time to tell the techs / installs basic stuff like need a cable card for the job.

Step right up and get your SOPA SOPA SOPA! (-1)

Anonymous Coward | more than 2 years ago | (#38658144)

The real revolution will commence when we identify the true brokers of power and when we begin systematically removing our dependence on them, and replacing their systems and institutions with ones of our own. - LandDestroyer.Blogspot.com

Translated to English this means you must look in the mirror. Stop the fritos potatoe chips, the hfcs coke, the gmo corn, the Comcast's, the AT&T's, the facebook, the twitter, the myspace, the google, the republicans, the democrats, the aipac's, the pnac's, the kochs's, the soros's, the JP Morgans, the Goldman Suck's.

Can you dump all these? All of them even if there are more? Will you look them up and tie together the dots, or will you keep funding your globalist slave masters, who then purchase our local reps?

Already look at this shit!
http://www.activistpost.com/2012/01/ndaa-protests-end-in-ironic-swarm-of.html

What I see happening... (1)

Anonymous Coward | more than 2 years ago | (#38658540)

I think for those that mentioned that it would be illegal or ISP would block you from using a non approved DNS could be realistic. The FCC/US government has done something similar in the recent past. The 860Mhz alalog cellular region comes to mind. Cellular companies were using unencrypted clear unaltered audio over this frequency range. People with police scanners or a a tv with an analog UHF tuner could pick up all phone conversations in the clear. The phone companies fucked up and asked the government to step in and help so they could ease public concern and still sell phones without using readily available technology to encode the audio. The FCC did step in, they made it illegal for someone to listen in, then they banned the sale of scanners that could tune to this region, then they banned the "easy" bypassing of the ban and the act of reprogramming the scanner to get these signals. They even tried other measures for those that had scanner that could recieve images of those frequencies. It was a cat and mouse game. All to prop up the phone companies profits and to prevent them from paying for their shortsightedness. I'm sure the IP lobbyists are a much greater force now and could get something like banning "rogue" DNS servers passed into a law.

I like this approach (1)

Trax3001BBS (2368736) | more than 2 years ago | (#38659406)

I've just recently seen email coming to me with a "DKIM-Signature"
"DomainKeys Identified Mail (DKIM) lets an organization take responsibility for a message that is in transit."
http://www.dkim.org/ [dkim.org]

While the e-mail came from across the pond, these go through Yahoo and seems to be a part of their system.
I haven't researched it any further than that.

I like these approaches though, it avoids using the Trusted Platform Module (TPM).
http://en.wikipedia.org/wiki/Trusted_Platform_Module [wikipedia.org]

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...