Re: [dns-operations] Saga of HBONow DNSSEC Failure
On Mar 10, 2015 12:16 PM, Edward Lewis edward.le...@icann.org wrote: ... Perhaps Comcast could install little squirrel feeders in the neighborhood. That they don't, and have let this problem go unabated for years, illustrates their bias. #nutneutrality Apologies, Eli ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Saga of HBONow DNSSEC Failure
Jason- Thank you for sharing the details. Another excellent real world example. Too bad it caused you consternation. -Rick From: dns-operations [mailto:dns-operations-boun...@dns-oarc.net] On Behalf Of Livingood, Jason Sent: Monday, March 09, 2015 8:50 PM To: dns-operations Subject: [dns-operations] Saga of HBONow DNSSEC Failure So earlier today HBO announced a new HBONow streaming service (at an Apple event). The FQDN to order, which should have been DNSSEC-enabled, was order.hbonow.com. This unfortunately suffered from a rather inconveniently timed DNSSEC problem (http://dnsviz.net/d/order.hbonow.com/VP5DKQ/dnssec/). :-( Of course, these being hot Net Neutrality days in the U.S., we at Comcast were quickly blamed for blocking access to ordering this new service (despite failures at Google and other validators). Had this persisted much longer, we might have considered a negative trust anchor of course, assuming we had direct contact with HBO on the matter (established after they fixed the issue we flushed the cache). A good example of the sentiment was the tweet Wow. I have Comcast and can't reach http://hbonow.com unless I use a different network. #NetNeutrality . People tweeted to the FCC to alert them as well. But two other I-Ds I wrote up did come in handy in some of my replies on social media: http://tools.ietf.org/html/draft-livingood-dnsop-auth-dnssec-mistakes-00 and http://tools.ietf.org/html/draft-livingood-dnsop-dont-switch-resolvers-00 Which leads me simply to say that if there's any interest in progressing these I-Ds in any way, let me know. Of course you may not find them useful until people yell at you for other people's DNS errors. ;-) - Jason smime.p7s Description: S/MIME cryptographic signature ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Saga of HBONow DNSSEC Failure
On Tue, Mar 10, 2015 at 11:09 AM, Matthew Pounsett m...@conundrum.com wrote: On Mar 9, 2015, at 23:50 , Livingood, Jason jason_living...@cable.comcast.com wrote: So earlier today HBO announced a new HBONow streaming service (at an Apple event). The FQDN to order, which should have been DNSSEC-enabled, was order.hbonow.com. This unfortunately suffered from a rather inconveniently timed DNSSEC problem (http://dnsviz.net/d/order.hbonow.com/VP5DKQ/dnssec/). :-( Of course, these being hot Net Neutrality days in the U.S., we at Comcast were quickly blamed for blocking access to ordering this new service (despite failures at Google and other validators). I’d just like to comment how pleased I am that Comcast continues to push DNSSEC validation, despite taking regular hits from end users. +lots. Thank you Comcast, and Jason. W I keep hoping others will follow suit.. the more large validator operators that enable it, the fewer hits anyone will take for doing so. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Saga of HBONow DNSSEC Failure
On 3/9/15, 23:50, Livingood, Jason jason_living...@cable.comcast.com wrote: So earlier today HBO announced a new HBONow streaming service (at an Apple event). The FQDN to order, which should have been DNSSEC-enabled, was order.hbonow.com. This unfortunately suffered from a rather inconveniently timed DNSSEC problem (http://dnsviz.net/d/order.hbonow.com/VP5DKQ/dnssec/). :-( Of course, these being hot Net Neutrality days in the U.S., we at Comcast were quickly blamed for blocking access to ordering this new service (despite failures at Google and other validators). When this first surface after the infamous NASA.GOV incident, I sent a private apology because I (as well as others) knew this day would come - when an ISP would get the brunt of someone's DNSSEC misfire. (Others include many who worked on the original design and deployment workshops.) This time I'll offer a public apology. Sorry, Comcast. The only way I can make this up to you is to better my efforts at making DNSSEC an easier to run, less clumsy protocol. The protocol is what it is - when something doesn't check out, it goes dark. The mitigation is better tools to explain this and to manage this. The negative trust anchor draft addresses the latter. Oh, and, Jason, a squirrel has managed to chew through my mom's cable, can you fix that for me? Perhaps Comcast could install little squirrel feeders in the neighborhood. smime.p7s Description: S/MIME cryptographic signature ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Saga of HBONow DNSSEC Failure
On Mar 9, 2015, at 23:50 , Livingood, Jason jason_living...@cable.comcast.com wrote: So earlier today HBO announced a new HBONow streaming service (at an Apple event). The FQDN to order, which should have been DNSSEC-enabled, was order.hbonow.com. This unfortunately suffered from a rather inconveniently timed DNSSEC problem (http://dnsviz.net/d/order.hbonow.com/VP5DKQ/dnssec/). :-( Of course, these being hot Net Neutrality days in the U.S., we at Comcast were quickly blamed for blocking access to ordering this new service (despite failures at Google and other validators). I’d just like to comment how pleased I am that Comcast continues to push DNSSEC validation, despite taking regular hits from end users. I keep hoping others will follow suit.. the more large validator operators that enable it, the fewer hits anyone will take for doing so. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Saga of HBONow DNSSEC Failure
On 3/10/15, 12:55 PM, Eli Heady eli.he...@gmail.commailto:eli.he...@gmail.com wrote: On Mar 10, 2015 12:16 PM, Edward Lewis edward.le...@icann.orgmailto:edward.le...@icann.org wrote: ... Perhaps Comcast could install little squirrel feeders in the neighborhood. That they don't, and have let this problem go unabated for years, illustrates their bias. #nutneutrality We can only take reasonable, fair, and transparently disclosed steps to prevent squirrels from eating coaxial cable or fiber optic cables. If we put extra layers of protection on cables to block feeding access specifically for squirrels, then of course we’d be blocking the squirrels’ access to the Internet (for nourishment and information). Such chew-blocking may be acceptable if it were on a species-neutral basis, preventing chewing equally by dogs, cats, owls, hawks, squirrels, bears, and others. But I’d probably have to run that past our Legal department. ;-) JL ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Saga of HBONow DNSSEC Failure
On 3/10/15, 12:11 PM, Edward Lewis edward.le...@icann.org wrote: I (as well as others) knew this day would come - when an ISP would get the brunt of someone's DNSSEC misfire. (Others include many who worked on the original design and deployment workshops.) It won¹t be the last time! ;-) The only way I can make this up to you is to better my efforts at making DNSSEC an easier to run, less clumsy protocol. Works for me! That¹d be awesome. :-) DNSSEC needs to be super easy to use as an authoritative operator, running on auto-pilot after initial setup. The simpler more automated operations are, the less fragile the signing infrastructure will be (and the whole thing end to end of course). - Jason ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
[dns-operations] Saga of HBONow DNSSEC Failure
So earlier today HBO announced a new HBONow streaming service (at an Apple event). The FQDN to order, which should have been DNSSEC-enabled, was order.hbonow.com. This unfortunately suffered from a rather inconveniently timed DNSSEC problem (http://dnsviz.net/d/order.hbonow.com/VP5DKQ/dnssec/). :-( Of course, these being hot Net Neutrality days in the U.S., we at Comcast were quickly blamed for blocking access to ordering this new service (despite failures at Google and other validators). Had this persisted much longer, we might have considered a negative trust anchor of course, assuming we had direct contact with HBO on the matter (established after they fixed the issue we flushed the cache). A good example of the sentiment was the tweet “Wow. I have Comcast and can't reach http://hbonow.com unless I use a different network. #NetNeutrality ”. People tweeted to the FCC to alert them as well. But two other I-Ds I wrote up did come in handy in some of my replies on social media: http://tools.ietf.org/html/draft-livingood-dnsop-auth-dnssec-mistakes-00 and http://tools.ietf.org/html/draft-livingood-dnsop-dont-switch-resolvers-00 Which leads me simply to say that if there’s any interest in progressing these I-Ds in any way, let me know. Of course you may not find them useful until people yell at you for other people’s DNS errors. ;-) - Jason ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs