On 3/9/15, 23:50, "Livingood, Jason" <jason_living...@cable.comcast.com> wrote:
>So earlier today HBO announced a new HBONow streaming service (at an >Apple event). The FQDN to order, which should have been DNSSEC-enabled, >was order.hbonow.com. This unfortunately suffered from a rather >inconveniently timed DNSSEC problem >(http://dnsviz.net/d/order.hbonow.com/VP5DKQ/dnssec/). > :-( Of course, these being hot Net Neutrality days in the U.S., we at >Comcast were quickly blamed for blocking access to ordering this new >service (despite failures at Google and other validators). When this first surface after the "infamous NASA.GOV" incident, I sent a private apology because I (as well as others) knew this day would come - when an ISP would get the brunt of someone's DNSSEC misfire. (Others include many who worked on the original design and deployment workshops.) This time I'll offer a public apology. Sorry, Comcast. The only way I can make this up to you is to better my efforts at making DNSSEC an easier to run, less clumsy protocol. The protocol is what it is - when something doesn't check out, it goes dark. The mitigation is better tools to explain this and to manage this. The negative trust anchor draft addresses the latter. Oh, and, Jason, a squirrel has managed to chew through my mom's cable, can you fix that for me? Perhaps Comcast could install little squirrel feeders in the neighborhood.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs