Shumon, On Mar 10, 2015, at 3:07 PM, Shumon Huque <[email protected]<mailto:[email protected]>> wrote:
Nice work Dan. Thanks. A few comments: You identify the DNS service operator (Dyn). You might also want to identify the registrar in use - which seems to be DynaDot (according to whois) - based in San Mateo, CA - presumably unrelated to Dyn. As far as I know, DynaDot *is* unrelated to Dyn… but I didn’t identify the registrar because I didn’t really think they were as relevant to the analysis. Dyn’s name is visible via the NS records (and yes, DynaDot comes up through WHOIS) and they have the role in the signing process. Is there any evidence that hbonow.com<http://hbonow.com/> was actually signed? I didn't see anything from your post indicating that it was definitively signed. Not that I can see. They may never have been signed… in which case why was there a DS record? Which goes to your next point… If it wasn't actually signed, I was wondering if this was a case of the registrant using the registrar interface to accidentally install a DS record for an unsigned zone. Interesting. I hadn’t considered that case. However, a DS record has a rather specific format and in the registrar interfaces I’ve used has typically involved changing several different settings, i.e. not just pasting in line for a zone file. I guess it *could* have been an error like that. I would expect that competent registrars would have checks and balances they perform before submitting a DS key for publication to a registry (e.g. does the requested DS match a DNSKEY in the zone?), but .. Ha!!! I have no doubt that there are *some* registrars who actually perform checks like these. I know of many tech-savvy registrars who would. But my experience with the registrar community to date leads me to believe that there are many registrars with little technical sophistication who will implement the bare minimum necessary to comply with requirements. I would suggest changing this highlighted phrase: "Comcast was CORRECT in blocking HBO's site!" To the uninitiated, this might give the impression that Comcast actively or intentionally did something to block HBO. I get your point… but I’m also trying to keep the post understandable in simple terms. And to the users out on Comcasts network, from *their* perspective, Comcast *was* blocking HBO’s site. Is anyone checking with HBO/Dyn/Dynadot for definitive details about the incident? I have not yet had the cycles to do so. I’m hoping someone from there will be able to clarify the info to one of the lists. If anyone knows anyone there and can reach out to them, that would be great. Dan -- Dan York Senior Content Strategist, Internet Society [email protected]<mailto:[email protected]> +1-802-735-1624 Jabber: [email protected]<mailto:[email protected]> Skype: danyork http://twitter.com/danyork http://www.internetsociety.org/deploy360/
