Forgot your password?
typodupeerror

Comment: Re:What is this? (Score 4, Informative) 196

by ctg1701 (#33940710) Attached to: Comcast Migrating Customers To DNSSEC Resolvers

Stop posting press release posts.

Here is some non-Comcastic information - http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions

Chris what is your non-biased take on Comcast forging TCP reset packets and terrible quality HD?

I also should mention that reading Wikipedia isn't the most reliable source, although that one is fairly good. I might suggest looking at the following if you don't care for Comcast's write up:

https://www.dnssec-deployment.org/

or the RFCs:

http://tools.ietf.org/html/rfc4033
http://tools.ietf.org/html/rfc4034
http://tools.ietf.org/html/rfc4035

Thanks

Chris
Comcast

Comment: Re:What is this? (Score 3, Interesting) 196

by ctg1701 (#33940622) Attached to: Comcast Migrating Customers To DNSSEC Resolvers

Stop posting press release posts.

Here is some non-Comcastic information - http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions

Chris what is your non-biased take on Comcast forging TCP reset packets and terrible quality HD?

Actually I have been working in the IETF to help provide better methods for P2P to work on ISP networks after the issues with the TCP reset packets a few years ago. I am sure you can look up some of the RFC items if you search for them.

If you have a problem with your HD quality, I suggest getting someone to come look at that. Given I am an Internet Engineer, I don't work on that side of the business.

Thanks

Chris
Comcast

Comment: Re:What is this? (Score 2, Informative) 196

by ctg1701 (#33940572) Attached to: Comcast Migrating Customers To DNSSEC Resolvers

Are you guys running any tests in Seattle at night? DNS lookups regularly fail after midnight and are generally really spotty from midnight on. It's not a connectivity issue because I can always ssh using an ip address even when my web browser can't load pages due to lookup failures.

No we are not running any tests and our DNS is up and responding. If you are having issues, I would suggest stopping by our customer forums at http://forums.comcast.net to get help.

Thanks

Chris
Comcast

Comment: Re:This is a GOOD thing (Score 2, Interesting) 196

by ctg1701 (#33939544) Attached to: Comcast Migrating Customers To DNSSEC Resolvers

I've been using these months while they've been available for testing. The very nature of DNSSEC kills the 404 helper service, and provides an extra level of security. For anyone that wants to use them now without being migrated automatically someday, just use 75.75.75.75 and 75.75.76.76 for the DNS.

Absolutely correct, and hopefully people realize that we want to make your Internet service a better and safer experience.

Comment: Re:For Webmasters? (Score 2, Informative) 196

by ctg1701 (#33939504) Attached to: Comcast Migrating Customers To DNSSEC Resolvers

What does this mean for webmasters? Are all of us going to need DNSSEC keys on our websites or does this just apply to comcast's array of websites? I wasn't aware that DNS had any kind of security issue which would warrant a revamp. How will this affect the future of the web?

This has little to do with websites and more to do with the zones in the DNS for the websites. This adds an additional layer to protect the DNS from attacks. I suggest if you want more information, please read the following: http://www.dnssec.comcast.net/faq.htm

Thanks

Chris
Comcast

Comment: Re:a bit confused (Score 1) 196

by ctg1701 (#33939488) Attached to: Comcast Migrating Customers To DNSSEC Resolvers

what happens if the site doesn't want to sign up for dnssec? would comcast block communications with those sites? also it seems dnssec cost additional to the current cost for a site. (just putting that out there)

If a site chooses not to sign their domain, then the DNS will work just like it does now and will not be validated. As for hosting sites, some of them may choose to charge for securing domains. You should check with your provider for additional details.

Thanks

Chris
Comcast

Comment: Re:Meh ... 8.8.8.8 (Score 1, Informative) 196

by ctg1701 (#33939452) Attached to: Comcast Migrating Customers To DNSSEC Resolvers

My router is already set up to ignore Comcast's DHCP provided DNS, and use 8.8.8.8 and 8.8.4.4 anyway... Substitute your own favorite public DNS resolver (or install OpenWRT and use its djbdns if you prefer).

While you could do any of the following, Comcast DNS servers should provide a fast response and better localization than third party resolvers. We also will now have DNSSEC validation turned on to enable another level of security that none of the third party resolvers currently offer.

Hopefully you will give us a try and take a look at http://www.dnssec.comcast.net/faq.htm for details.

Thanks

Chris
Comcast

Comment: Re:domain helper? (Score 5, Informative) 196

by ctg1701 (#33939416) Attached to: Comcast Migrating Customers To DNSSEC Resolvers

Domain helper.. is that the crap that automatically relocates you to some ad serving search website when you input an unrecognized dns in the web browser? That kind of crap is why I switched to 4.1.1.1

We will be disabling Domain Helper on our recursive resolvers and you will also get DNSSEC validation by using our Anycast resolvers. There is no redirection and you will also get the protections enabled by DNSSEC.

Thanks

Chris
Comcast

Comment: Re:opendns or google dns? (Score 3, Informative) 196

by ctg1701 (#33939410) Attached to: Comcast Migrating Customers To DNSSEC Resolvers

OpensDNS has the same flaws as Comcast's Domain Helper service (ie does not return NXDOMAIN), GoogleDNS has some issues I can't remember and for us has pretty significant latency.

Currently neither support DNSSEC validation and with us enabling DNSSEC on our recursive resolvers, we are disabling Domain Helper. Please check out http://www.dnssec.comcast.net/faq.htm for more details.

Thanks

Chris
Comcast

Comment: Re:What is this? (Score 5, Informative) 196

by ctg1701 (#33939394) Attached to: Comcast Migrating Customers To DNSSEC Resolvers

What this means is that COMCST is now going to tell their customers that your only allowed to visit websites that have joined the system. They may be selling this as security, but make no mistake this is also a huge control system. I may have to cancel my service with them, when this happens. The simply fact is you may have some legimate website who choose willfully NOT to partake in such a control scheme. I may need to visit such a site and COMCST is going to essentially tell me I can't visit that site. No thanks, I don't need a big brother. I'm an adult and I can take care of my own computers and I don't need COMCST protecting me. I don't give a crap what they say, I alone should have the right to decide where I can and can't go on the internet, unless of course you don't believe in freedom. Just give me the fully open internet service I pay for ya dern COMCST Commies!!! Quit interferring with my traffic.

-Anonymous Coward (yeah right like they can't track you down by your ip the way the RIAA is racketering everybody)

You have clearly not read anything about DNSSEC and how this actually ensures you get the traffic you requested without anyone - including Comcast - interfering with your DNS requests. I highly recommend you read http://www.dnssec.comcast.net/faq.htm so you can understand why we are doing this and why the global Internet and DNS is moving to this standard.

Thanks

Chris
Comcast

Comment: Re:What is this? (Score 5, Informative) 196

by ctg1701 (#33939372) Attached to: Comcast Migrating Customers To DNSSEC Resolvers

For those of us on Comcast, what does this mean?

Whenever I am offered the opportunity to opt out of something by a company, I know it's probably a good idea to opt out.

Also, I've had very flaky internet service the past week or so, although I am not in this market (Minneapolis area). My equipment all seems to work fine, and of course there could be any number of causes, but this seems interesting.

DNSSEC security is an Internet standard and it means that we are enabling it for our domains and will validate others once it is rolled out globally. I suggest you read through http://www.dnssec.comcast.net/faq.htm which explains why we are rolling this out and what it means for our customers.

Thanks

Chris
Comcast

+ - Comcast migrating customers to DNSSEC resolvers

Submitted by ctg1701
ctg1701 (311736) writes "Starting today we will begin migrating customers who have opted out of our Domain Helper service over to our production DNSSEC-validating servers. This will happen first in a selected part of our Virginia network, and will later expand to all markets in the following sixty days, at which point all of our customers who have opted out of Domain Helper will be migrated. After this has been completed, we will migrate the rest of our customers, which we anticipate will stretch into the early part of 2011. You can find more information at http://www.dnssec.comcast.net/ and you can see an informational video at http://www.dnssec.comcast.net/dnssec-video.htm."

The best way to avoid responsibility is to say, "I've got responsibilities."

Working...