On Tue, Mar 10, 2015 at 1:09 PM, Dan York <[email protected]> wrote: > dnssec-deployment subscribers, > > Last night customers on Comcast’s network were unable to get to the site > to order HBO’s new “HBO NOW” streaming service announced at the Apple event > yesterday. While people naturally jumped on Twitter to blame Comcast, in > this case it seems to be HBO’s error in how they configured the Domain. > > I wrote up this analysis: > > > http://www.internetsociety.org/deploy360/blog/2015/03/hbo-now-dnssec-misconfiguration-makes-site-unavailable-from-comcast-networks-fixed-now/ > > or shortened - http://wp.me/p4eijv-5I9 > > Comments, corrections and other feedback are definitely welcome (and I > can easily update the post if others have more info or insight). >
Nice work Dan. A few comments: You identify the DNS service operator (Dyn). You might also want to identify the registrar in use - which seems to be DynaDot (according to whois) - based in San Mateo, CA - presumably unrelated to Dyn. Is there any evidence that hbonow.com was actually signed? I didn't see anything from your post indicating that it was definitively signed. If it wasn't actually signed, I was wondering if this was a case of the registrant using the registrar interface to accidentally install a DS record for an unsigned zone. I would expect that competent registrars would have checks and balances they perform before submitting a DS key for publication to a registry (e.g. does the requested DS match a DNSKEY in the zone?), but .. I would suggest changing this highlighted phrase *:* "Comcast was CORRECT in blocking HBO's site!" To the uninitiated, this might give the impression that Comcast actively or intentionally did something to block HBO. I would probably rephrase it to something like: "Comcast's DNS resolvers were unable to authenticate HBO's site because of a technical error on HBO's part". Is anyone checking with HBO/Dyn/Dynadot for definitive details about the incident? Shumon.
