[dns-operations] Comcast Begins DNSSEC Rollout
Kevin Chen
kchen at MIT.EDU
Tue Oct 19 01:30:57 UTC 2010
On Mon, 18 Oct 2010, Livingood, Jason wrote:
> As an FYI, we at Comcast just announced the start of our production
> rollout of DNSSEC (see
> http://blog.comcast.com/2010/10/dns-security-rollout-begins.html). So
> far this year, our production deployment trial has been opt-in only.
> Starting today, customer DNS IP addresses will start to change via DHCP
> lease updates – all the details are @ http://www.dnssec.comcast.net/.
> I'm pretty sure we're the first large ISP in the U.S. to do so,
> something we're very proud of. :-)
One of the machines behind 75.75.75.75 (68.87.71.229) seems to be having
problems validating names in zones that are in DLV but not in the chain of
trust from the root:
kchen at zapdos:~$ dig +dnssec www.debian.org @75.75.75.75
; <<>> DiG 9.7.1-P2 <<>> +dnssec www.debian.org @75.75.75.75
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 19288
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4000
;; QUESTION SECTION:
;www.debian.org. IN A
kchen at zapdos:~$ dig -t dlv debian.org.dlv.isc.org @68.87.71.229
; <<>> DiG 9.7.1-P2 <<>> -t dlv debian.org.dlv.isc.org @68.87.71.229
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 52795
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;debian.org.dlv.isc.org. IN DLV
;; Query time: 520 msec
;; SERVER: 68.87.71.229#53(68.87.71.229)
;; WHEN: Mon Oct 18 21:29:31 2010
;; MSG SIZE rcvd: 40
The other machine, 68.87.71.233 seems fine. Doing the digs with +cd on
68.87.71.229 does return results.
--
Kevin Chen
More information about the dns-operations
mailing list