Reply
Official Employee
ComcastChrisGr
Posts: 329
Registered: ‎07-10-2008

Comcast Launches DNSSEC Trial

[ Edited ]

Comcast has been a leader in the testing of and advocating for the wide adoption of DNSSEC.  Our leadership continues today with the announcement of a plan to implement DNSSEC validation in the DNS servers that our customers use, as well as for the signing of authoritative domains such as comcast.com and xfinity.com.  In addition, we're pleased to tell you that we have something you can do to get involved today (so keep reading!).

 

First, we plan to sign the domain names we manage, such as comcast.com and comcast.net, by the end of the first quarter of 2011, if not sooner.  While we are already signing several domains today on a trial basis, such as comcast.org, this is our goal for signing the full range of domains that we own (there are thousands). 

 

Second, by the end of 2011, if not sooner, we plan to implement DNSSEC validation in all of the recursive DNS servers (a.k.a. caching servers) that our customers use every day.  Customers will not need to make any changes to their configurations in order to take advantage of that; this will automatically occur via DHCP lease updates at that time.

 

Third, and of particular interest to people here, customers who would like to start using a DNSSEC-validating DNS server today, can immediately do so on an opt-in basis as the next step in our DNSSEC technical trials. You can do so now by changing your DNS server IP addresses to 75.75.75.75 and 75.75.76.76. The servers supporting this are operating in our production network, not a trial network, and are deployed nationally in the same locations as our other DNS servers that customers use everyday.

 

We hope that by announcing our DNSSEC plans, and immediately making available our Anycast-based DNSSEC-validating servers, we will catalyze other stakeholders to really focus on DNSSEC, and do their share to ensure we collectively have a secure foundation for the Internet. Just as with IPv6, it's time for organizations to get serious about DNSSEC and today we take another step in doing our share to move the Internet community ahead.

 

Finally, I'd like to anticipate one question some of you might ask, which is how we reconcile the use of DNS redirect as used in Comcast Domain Helper, and as described in this IETF draft, with our plan to implement DNSSEC. The answer is that we believe that DNSSEC is basically incompatible with current DNS redirect technology.  We have always known this and we expect that one result of turning on DNSSEC validation will be that Domain Helper's DNS redirect functionality will need to be disabled, absent any additional IETF standards work or other technology advances (and we're not aware of any work on either of these fronts).  We anticipate updating our IETF draft on this subject to reflect this in the upcoming -01 version, which we are working on now and hope to publish shortly after IETF 77, which takes place in late March. We also look forward to any feedback users may have about their experiences using our trial DNSSEC-validating resolvers, as such feedback is important to preparing our infrastructure and processes for full DNSSEC support. For more information on the DNSSEC deployment at Comcast, please check out http://www.dnssec.comcast.net.

 

Thanks,

 

Chris

Message Edited by ctg1701a on 02-23-2010 11:11 AM
Message Edited by ctg1701a on 02-23-2010 11:16 AM
Networking Expert
Baric
Posts: 24,238
Registered: ‎07-28-2003

Re: Comcast Launches DNSSEC Trial

Switched over.  No issues so far on my network with Windows, Mac, iPhone, and Linux clients, both direct and proxied through my Time Capsule.
Networking Expert
Baric
Posts: 24,238
Registered: ‎07-28-2003

Re: Comcast Launches DNSSEC Trial

[ Edited ]

Found an issue that seems to be related to the DNSSEC servers.  While trying to look at http://www.broadband.gov (mentioned in another post), I found I could not get to it, and by that I mean I couldn't resolve the IP address through DNS.  My Win7 box is pointing at my Apple Time Capsule for DNS proxy, the Time Capsule is pointing at the 75.75.*.* DNSSEC servers.

 

After some playing on my Linux system, I got dig to cough this up:

 

1. /etc/resolv.conf pointing at 75.75.75.75 and 75.75.76.76, I get this:

onyx ~ $ dig www.broadband.gov

; <<>> DiG 9.4.1-P1 <<>> www.broadband.gov
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 56119
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.broadband.gov.             IN      A

 

;; Query time: 2995 msec
;; SERVER: 75.75.75.75#53(75.75.75.75)
;; WHEN: Sat Mar 13 21:08:45 2010
;; MSG SIZE  rcvd: 35

and sometimes this:

onyx ~ $ dig www.broadband.gov
;; reply from unexpected source: 68.87.71.233#53, expected 75.75.75.75#53
;; reply from unexpected source: 68.87.71.229#53, expected 75.75.76.76#53
;; reply from unexpected source: 68.87.71.229#53, expected 75.75.76.76#53
;; reply from unexpected source: 68.87.71.233#53, expected 75.75.75.75#53
;; reply from unexpected source: 68.87.71.229#53, expected 75.75.76.76#53

; <<>> DiG 9.4.1-P1 <<>> www.broadband.gov
;; global options:  printcmd
;; connection timed out; no servers could be reached

2. When pointing at 68.87.71.226 and 68.87.73.242, the query works:

onyx ~ $ dig www.broadband.gov

; <<>> DiG 9.4.1-P1 <<>> www.broadband.gov
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1751
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.broadband.gov.             IN      A

;; ANSWER SECTION:
www.broadband.gov.      85974   IN      A       4.21.126.148

;; Query time: 12 msec
;; SERVER: 68.87.71.226#53(68.87.71.226)
;; WHEN: Sat Mar 13 20:57:42 2010
;; MSG SIZE  rcvd: 51

3. When I use dns proxy through the router, I get a pure timeout (function of the router not responding because it got no valid response, I suspect):

onyx ~ $ dig www.broadband.gov

; <<>> DiG 9.4.1-P1 <<>> www.broadband.gov
;; global options:  printcmd
;; connection timed out; no servers could be reached

 

My /etc/resolv.conf looks like this (just move the comments around):

onyx ~ $ cat /etc/resolv.conf
# Comcast DNS servers
#nameserver 68.87.71.226
#nameserver 68.87.73.242

# Comcast DNSSEC servers
nameserver 75.75.75.75
nameserver 75.75.76.76

# DNS proxy through the router
#nameserver 192.168.1.1
domain nyxdev.com

Message Edited by Baric on 03-13-2010 09:25 PM
Networking Expert
Baric
Posts: 24,238
Registered: ‎07-28-2003

Re: Comcast Launches DNSSEC Trial

More trouble with the Astronomy Picture of the Day web site hosted by NASA (another .gov site):

 

http://antwrp.gsfc.nasa.gov/apod/astropix.html

 

My MacBook is behind a router, but using direct DNS query to 75.75.76.76, dns query times out.  dig in the Terminal says:

 

[Fuji] ~ $ dig antwrp.gsfc.nasa.gov

; <<>> DiG 9.6.0-APPLE-P2 <<>> antwrp.gsfc.nasa.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 11073
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;antwrp.gsfc.nasa.gov.
IN A

;; Query time: 3051 msec
;; SERVER: 75.75.76.76#53(75.75.76.76)
;; WHEN: Sun Mar 14 18:08:56 2010
;; MSG SIZE  rcvd: 38

 

Too many problems, the DNSSEC servers are clearly not ready for prime time yet.  I'm converting back to the DNS servers delivered with my IP address. 

Official Employee
ComcastChrisGr
Posts: 329
Registered: ‎07-10-2008

Re: Comcast Launches DNSSEC Trial


Baric wrote:

More trouble with the Astronomy Picture of the Day web site hosted by NASA (another .gov site):

 

http://antwrp.gsfc.nasa.gov/apod/astropix.html

 

My MacBook is behind a router, but using direct DNS query to 75.75.76.76, dns query times out.  dig in the Terminal says:

 

[Fuji] ~ $ dig antwrp.gsfc.nasa.gov

; <<>> DiG 9.6.0-APPLE-P2 <<>> antwrp.gsfc.nasa.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 11073
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;antwrp.gsfc.nasa.gov.
IN A

;; Query time: 3051 msec
;; SERVER: 75.75.76.76#53(75.75.76.76)
;; WHEN: Sun Mar 14 18:08:56 2010
;; MSG SIZE  rcvd: 38

 

Too many problems, the DNSSEC servers are clearly not ready for prime time yet.  I'm converting back to the DNS servers delivered with my IP address. 


We are looking into the signed domains under .gov which seem to be having issues with larger UDP packets.  That is why we are performing a trial and hopefully you give it a try again and provide feedback.  

 

Thanks

 

Chris 

Networking Expert
Baric
Posts: 24,238
Registered: ‎07-28-2003

Re: Comcast Launches DNSSEC Trial

Both the NASA Astronomy Picture of the Day site and www.broadband.gov are still not resolving.  It's not all .gov sites, for example, irs.gov seems to resolve OK.  But the three examples I know of with issues are all .gov sites, which is interesting.
Email Expert
Posts: 18,241
Registered: ‎04-27-2004

Re: Comcast Launches DNSSEC Trial

The government mandated that .gov domains start using DNSSEC by the beginning of this year. Few domains outside .gov are using it yet.
Visitor
Posts: 2
Registered: ‎03-13-2010

Re: Comcast Launches DNSSEC Trial

OK, it's been a full work week.  What's the status?
Official Employee
jlivingood
Posts: 1,105
Registered: ‎05-09-2007

Re: Comcast Launches DNSSEC Trial

Waiting for a vendor patch I believe
JL
National Engineering & Technical Operations
Bronze Star Contributor
Bronze Star Contributor
Posts: 135
Registered: ‎11-01-2005

Re: Comcast Launches DNSSEC Trial

www.broadband.gov does not resolve on these servers?

- Bill
Official Employee
ComcastChrisGr
Posts: 329
Registered: ‎07-10-2008

Re: Comcast Launches DNSSEC Trial

 


WKG wrote:

www.broadband.gov does not resolve on these servers?


 

 

We are pushing out a code update to the DNSSEC trial servers shortly that should resolve this.  We were testing on one of the nodes in Florida and its now working from there.  I will update once we make that change.

 

Thanks


Chris

Networking Expert
Baric
Posts: 24,238
Registered: ‎07-28-2003

Re: Comcast Launches DNSSEC Trial

Still not working here using the DNSSEC servers...

 

:smileywink:

Official Employee
ComcastChrisGr
Posts: 329
Registered: ‎07-10-2008

Re: Comcast Launches DNSSEC Trial

 


Baric wrote:

Still not working here using the DNSSEC servers...

 

:smileywink:


 

 

Yep, the update should be rolled out to the rest of the servers this coming week.  We were testing it down in Florida without any issues for resolution.

 

Thanks

 

Chris

Networking Expert
Baric
Posts: 24,238
Registered: ‎07-28-2003

Re: Comcast Launches DNSSEC Trial

[ Edited ]

After my latest test just a few minutes ago, I can now resolve those problematic .gov sites like http://www.broadband.gov and http://antwrp.gsfc.nasa.gov/apod/ using the DNSSEC servers.  At this time, everything seems to be working as expected from my perspective.

Bronze Star Contributor
Bronze Star Contributor
Posts: 135
Registered: ‎11-01-2005

Re: Comcast Launches DNSSEC Trial

OK here, too.

- Bill
Visitor
Posts: 2
Registered: ‎03-13-2010

Re: Comcast Launches DNSSEC Trial

Since Sunday or Monday, usage of the DNSSEC servers prevents the Cafe World Facebook app from working.  Switching to a non-DNSSEC server and it loads fine. Other Facebook apps (FarmTown, Farmville) seem to work either way.  Appears the culprit is that the DNSSEC servers are returning SERVFAIL for facebook.cafe.static.zynga.com:

 

 

$ dig @75.75.75.75 +nocmd +noquestion +nostats facebook.cafe.static.zynga.com

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 27406

;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

 

 

 

$ dig @68.87.73.246 +nocmd +noquestion +nostats facebook.cafe.static.zynga.com

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58279

;; flags: qr rd ra; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 0

;; ANSWER SECTION:

facebook.cafe.static.zynga.com. 8758 IN CNAME   ak.zynga.com.edgesuite.net.

ak.zynga.com.edgesuite.net. 8695 IN     CNAME   a1782.g.akamai.net.

a1782.g.akamai.net.     9       IN      A       184.84.220.27

a1782.g.akamai.net.     9       IN      A       184.84.220.51

a1782.g.akamai.net.     9       IN      A       184.84.220.17

a1782.g.akamai.net.     9       IN      A       184.84.220.57

a1782.g.akamai.net.     9       IN      A       184.84.220.81

a1782.g.akamai.net.     9       IN      A       184.84.220.48

a1782.g.akamai.net.     9       IN      A       184.84.220.64