Jason- Thank you for sharing the details. Another excellent real world example. Too bad it caused you consternation. -Rick
From: dns-operations [mailto:dns-operations-boun...@dns-oarc.net] On Behalf Of Livingood, Jason Sent: Monday, March 09, 2015 8:50 PM To: dns-operations Subject: [dns-operations] Saga of HBONow DNSSEC Failure So earlier today HBO announced a new HBONow streaming service (at an Apple event). The FQDN to order, which should have been DNSSEC-enabled, was order.hbonow.com. This unfortunately suffered from a rather inconveniently timed DNSSEC problem (http://dnsviz.net/d/order.hbonow.com/VP5DKQ/dnssec/). :-( Of course, these being hot Net Neutrality days in the U.S., we at Comcast were quickly blamed for blocking access to ordering this new service (despite failures at Google and other validators). Had this persisted much longer, we might have considered a negative trust anchor of course, assuming we had direct contact with HBO on the matter (established after they fixed the issue & we flushed the cache). A good example of the sentiment was the tweet "Wow. I have Comcast and can't reach http://hbonow.com unless I use a different network. #NetNeutrality ". People tweeted to the FCC to alert them as well. But two other I-Ds I wrote up did come in handy in some of my replies on social media: http://tools.ietf.org/html/draft-livingood-dnsop-auth-dnssec-mistakes-00 and http://tools.ietf.org/html/draft-livingood-dnsop-dont-switch-resolvers-00 Which leads me simply to say that if there's any interest in progressing these I-Ds in any way, let me know. Of course you may not find them useful until people yell at you for other people's DNS errors. ;-) - Jason
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs