[dns-operations] Comcast Begins DNSSEC Rollout

Kevin Chen kchen at MIT.EDU
Tue Oct 19 01:30:57 UTC 2010


On Mon, 18 Oct 2010, Livingood, Jason wrote:

> As an FYI, we at Comcast just announced the start of our production 
> rollout of DNSSEC (see 
> http://blog.comcast.com/2010/10/dns-security-rollout-begins.html). So 
> far this year, our production deployment trial has been opt-in only. 
> Starting today, customer DNS IP addresses will start to change via DHCP 
> lease updates – all the details are @ http://www.dnssec.comcast.net/. 
> I'm pretty sure we're the first large ISP in the U.S. to do so, 
> something we're very proud of. :-)

One of the machines behind 75.75.75.75 (68.87.71.229) seems to be having 
problems validating names in zones that are in DLV but not in the chain of 
trust from the root:

kchen at zapdos:~$ dig +dnssec www.debian.org @75.75.75.75

; <<>> DiG 9.7.1-P2 <<>> +dnssec www.debian.org @75.75.75.75
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 19288
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4000
;; QUESTION SECTION:
;www.debian.org.			IN	A

kchen at zapdos:~$ dig -t dlv debian.org.dlv.isc.org @68.87.71.229

; <<>> DiG 9.7.1-P2 <<>> -t dlv debian.org.dlv.isc.org @68.87.71.229
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 52795
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;debian.org.dlv.isc.org.		IN	DLV

;; Query time: 520 msec
;; SERVER: 68.87.71.229#53(68.87.71.229)
;; WHEN: Mon Oct 18 21:29:31 2010
;; MSG SIZE  rcvd: 40

The other machine, 68.87.71.233 seems fine.  Doing the digs with +cd on 
68.87.71.229 does return results.

--
Kevin Chen


More information about the dns-operations mailing list