Comcast -- Owner Of NBC Universal -- Admits That DNS Redirects Are Incompatible With DNSSEC

from the well-look-at-that dept

Now that nearly 20 million households in the U.S. are able to use DNSSEC, we feel it is an important time to urge major domain owners, especially commerce and banking-related sites , to begin signing their domain names. While in the past those domains may have wanted to do so but felt it would have limited effect, they now can work on signing their domains knowing that the largest ISP in the U.S. can validate those signatures on behalf of our customers.

When we launched the Domain Helper service, we also set in motion its eventual shutdown due to our plans to launch DNSSEC. Domain Helper has been turned off since DNS response modification tactics, including DNS redirect services, are technically incompatible with DNSSEC and/or create conditions that can be indistinguishable from malicious modifications of DNS traffic (including DNS cache poisoning attacks). Since we want to ensure our customers have the most secure Internet experience, and that if they detect any DNSSEC breakage or error messages that they know to be concerned (rather than not knowing if the breakage/error was "official" and caused by our redirect service or "unofficial" and caused by an attacker), our priority has been placed on DNSSEC deployment -- now automatically protecting our customers...

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Well, well, well. Here's something interesting. Comcast, who owns NBC Universal (one ofmain forces behind SOPA/PIPA), is officially a SOPA/PIPA supporter. However, yesterday, Comcast put up a post congratulating itself (deservedly so!) for completing its DNSSEC deployment , making it "the first large ISP in the North America to have fully implemented" DNSSEC across the board. That's huge, and a clear vote of confidence for DNSSEC, obviously. They also urge others to use DNSSEC:All of this is good... but what may be much more interesting is that, along with this announcement, Comcast has also mentioned that it is shutting down its Domain Helper service . Domain Helper was a somewhat controversial DNS-redirect system, so that when you mistyped something, it would suggest the proper page or alternatives. Many in the internet community complained that these types of redirects mess with the underlying DNS system (which they do). But, as the DNS experts have been saying all along (and NBC Universal has been trying to play down), DNSSEC is incompatible with such DNS redirects. So... that makes this next part a little awkward. Comcast is now admitting, indeed, that DNS redirects, such as Domain Helper, arewith DNSSEC:Let's be doubly clear about this, because it's important. Just as NBC Universal and other SOPA supporters continue to insist that DNS redirect is completely compatible with DNSSEC... Comcast (and official SOPA/PIPA supporter) has rolled out DNSSEC, urged others to roll out DNSSEC and turned off its own DNS redirect system, stating clearly thatwith DNSSEC, if you want to keep people secure. In the end, this certainly appears to suggest that, even as the very same company is advocating for those laws.It would appear that the left hand (people who actually understand technology) isn't speaking to the right hand (lawyers/lobbyists) within the Comcast family. But, I think that NBC Universal and anyone else insisting that DNS redirects are fine in DNSSEC owe everyone else a pretty big apology... when their own company's experts are admitting that the two are incompatible.

Filed Under: dns, dns blocking, dnssec

Companies: comcast, nbc universal